[squid-users] %LOGIN place in squid 5.8 acls

Mon Apr 24 09:22:48 UTC 2023

On 24/04/2023 11:33 am, David Touzeau wrote:
> We have a "problem" with ACLs, and I don't know how to address this 
> situation in Squid 5.8
> Let me explain:
> We have an Active Directory group named limited_users that is only 
> allowed to surf on a very limited list of websites.
> These users are therefore forbidden to surf on all sites not listed in 
> allowed_domains
> On the other hand, we have websites in noauth_sites that do not need 
> to be authenticated by squid but are not allowed to be used by 
> limited_users group
>
> In logic, we would write the following ACLs.
>
> external_acl_type ads_group ttl=3600 negative_ttl=1 concurrency=50 children-startup=1 children-idle=1 children-max=20 ipv4 %LOGIN /lib/squid3/groups.pl
>
> acls limited_users ads_group limited_users

This acl requires both login to succeed and group to match in order to 
return MATCH.

> acls allowed_domains dstdomain siteallowed.com
> acls allowed_domains dstdomain siteallowed.fr
> acls allowed_domains dstdomain siteallowed.ch
>
> acls noauth_sites dstdomain office365.com
>
>
> http_access deny !allowed_domains limited_users all #ACL1
> http_access allow noauth_sites #ACL2
>
> But in this case, accessing to office365.com force Squid to send the 
> 407 Authentication  request in order to calculate the limited_users 
> in  #ACL1, then the second ACL is not effective because the request is 
> blocked before by the 407.

Sounds correct.

> The %LOGIN switch in the external ACL ads_group activates the 
> identification mode.

Yes.

> If we use the %un switch instead , it works but it becomes the 
> counter, ACL#1 is not processed anymore since the authentication is 
> not requested because the %un switch is too smooth.

Yes. The login is not existing, therefore has no group.

> What I don't understand is that SQUID is trying to calculate the 
> limited_user object when the first allowed_domain object already 
> returns FALSE.

You configured the "!" (not) operator to invert the match result.
Returning FALSE becomes a MATCH.

> Whatever the result of the objects that follow allowed_domain, the 
> rule will always fail.

Not quite. A request that provides credentials associated with the 
expected group will pass.

> In the case where limited_user is in the first place, the logic is 
> correct.
>
> Two questions:
>
> Is there a way for SQUID to not compute all http_access objects if the 
> first one fails?

No. Because there is more than one HTTP request going on here. Each 
request is independent for Squid.

> What would be the best rule that could meet this goal?

Structure your access lines as such;

   # things not requiring login are checked first
   http_access allow noauth_sites

   # then do the login
   http_access deny !login

   # then check things that need login
   http_access deny limited_users !allowed_sites

HTH
Amos