[squid-users] Access based on auth and referer

Dott. Matteo Savatteri matteo.savatteri at unimi.it
Mon Mar 6 08:25:13 UTC 2023 

Hi Amos,

thank you for your answer.

Unfortunately, the config you suggested does not seem to work: using 
that the proxy ask for password for every sites.

I think this is because CONNECT requests naturally does not present the 
referer header. The special referer header in only present in subsequent 
requests, those that get ssl-bumped.

This is an example CONNECT request found in logs:


CONNECT pixel.sitescout.com:443 HTTP/1.1
Host: pixel.sitescout.com:443
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.76


How can I solve this? Is even possible to mix up auth based and referer 
based access?

Thank you for your patience and your kind help,

Matteo

On 3/6/23 07:34, Amos Jeffries wrote:
> On 5/03/2023 10:44 pm, Dott. Matteo Savatteri wrote:
>>
>> Hello fellow Squid users,
>>
>> we use Squid 3.5 at my company and we want to give access to all 
>> sites to authenticated users. If a user is not authenticated we need 
>> to allow only HTTP/S requests that present a referer header matching 
>> a regex. Is this even possible?
>>
>> I have tried a combination of proxy_auth and referer_regex ACLs with 
>> no results. sslbump is working.
>
> Try these rules:
>
>   # initial security protection
>   http_access deny !Safe_ports
>   http_access deny CONNECT !SSL_ports
>
>   # forbid access to cache manager from non-localhost
>   http_access deny manager !localhost
>   # leave the below commented to require a login for cache manager access
>   # http_access allow manager
>
>   # forbid unauthenticated, except when providing the special Referer 
> header
>   http_access deny !myreferer !password
>
>   # users not denied are allowed
>   http_access allow all
>
>
> Cheers
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Dott. Matteo Savatteri

Responsabile Ufficio Piattaforme Tecnologiche
Direzione Servizio Bibliotecario di Ateneo
Università degli Studi di Milano

Indirizzo: Via Santa Sofia, 9 20122 MILANO (MI)
Tel. ufficio: 02503 12227
Email: Matteo.Savatteri at unimi.it

More information about the squid-users mailing list