[squid-users] rejecting CONNECT if Proxy-Authentication header is sent but not required
Amos Jeffries
squid3 at treenet.co.nz
Wed Oct 12 11:42:40 UTC 2022
On 11/10/22 18:31, Ole Craig wrote:
> I would like to configure Squid with a set of allow-listed domains such
> that unauthenticated CONNECTs to sites within those domains succeed,
> _unless_ the following conditions are met:
>
> * if a client preemptively sends a Proxy-Authenticate header anyway,
> without first receiving a 407
FYI this requirement (taken by itself) would break HTTP authentication.
There are many ways for a client to learn that authentication is
required, some of them are out-of-band and cannot be known by the proxy.
> * _and_ that header is invalid (bad username/password, unsupported
> authN method, &c),
>
... this requirement makes the first requirement irrelevant. Invalid
credentials are *always* supposed to be rejected with 4xx regardless of
whether the client has been seen before or not.
Just use the normal recommended authentication access check(s):
# the usual security protections...
http_access deny CONNECT !SSL_Ports
# require valid credentials
acl auth proxy_auth REQUIRED
http_access deny !auth
acl whitelist dstdomain ...
http_access allow CONNECT whitelist
HTH
Amos
More information about the squid-users
mailing list