[squid-users] Squid.conf Issues

Piana, Josh Josh.Piana at hexcel.com
Mon Aug 19 15:16:14 UTC 2024


Good morning Squid Support,

I've been setting up a replacement Squid proxy server.

After setting up the backend using realmD, sssd, with Kerberos authentication, I tested with a Windows "squidaduser" account. I can verify the user accounts connection to the proxy, and it is passing traffic. The issue is, it's not being blocked by ANY of the acl's we have in place. I was hoping to reach out to help me identify the issue with the squid.conf file. This is my assumption to be the issue but I am pretty new at using Linux and completely unfamiliar with setting up a web proxy.

Environment:
Squid Cache: Version 5.5
RHEL 9.4 on a HyperV VM
Linux Client Proxy in a Windows AD environment


Below I will post the config and attempt to edit out any relevant company/personal information:

##############################################################################
# General
##############################################################################

max_filedesc 4096
cache_mgr ARCITAdmin at hexcel.com
cache_effective_user squid
cache_effective_group squid
shutdown_lifetime 5 seconds

##############################################################################
# Logging
##############################################################################

# this makes the logs readable to humans
logformat custom %tl.%03tu %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log daemon:/var/log/squid/access.log custom


logfile_rotate 10
debug_options ALL,1
buffered_logs off
cache_log /var/log/squid/general
cache_access_log /var/log/squid/access.log
cache_store_log none
log_mime_hdrs off
strip_query_terms off

##############################################################################
# Network - General/misc
##############################################################################

# our HTTP proxy port
http_port 10.46.11.69:8080
# loopback management
http_port 127.0.0.1:3128

icp_port 0
forwarded_for off

##############################################################################
# Network timeout settings
##############################################################################

connect_timeout 30 seconds
peer_connect_timeout 20 seconds
read_timeout 2 minutes
request_timeout 2 minutes
persistent_request_timeout 30 seconds

##############################################################################
# Configuration of the local cache itself
##############################################################################

cache_dir ufs /var/spool/squid/ 10000 16 256
coredump_dir /var/spool/squid/
cache_replacement_policy heap LFUDA
memory_replacement_policy lru
cache_mem 256 MB
maximum_object_size 32 MB
maximum_object_size_in_memory 512 KB
quick_abort_min 16 KB
quick_abort_max 1 MB
quick_abort_pct 90
range_offset_limit 64 KB

##############################################################################
# Cache control
##############################################################################

acl no_cache_url url_regex -i "/etc/squid/no_cache_url"
cache deny no_cache_url

##############################################################################
# Authentication
##############################################################################

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/HTTP.keytab -s HTTP/<domain>.ad.<domain>.com at AD.<domain>.COM
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl kerb-auth proxy_auth REQUIRED
http_access allow kerb-auth

##############################################################################
# Access control - shared/common ACL definitions
##############################################################################

# acl all src all
acl src_self src 127.0.0.0/8
acl src_self src 10.46.11.69
acl dst_self dst 127.0.0.0/8
acl dst_self dst 10.46.11.69
acl from_arc src 10.46.0.0/15
acl local_dst_addr dst 10.0.0.0/8
acl local_dst_addr dst bldg3.<domain>.com
acl local_dst_addr dst bldg5.<domain>.com
acl local_dst_dom dstdomain <domain>
acl proto_FTP proto FTP
acl proto_HTTP proto HTTP
acl localnet src 10.46.49.0/24
acl localnet src 10.47.49.0/24

acl http_ports port 80
acl http_ports port 81
acl http_ports port 8001
acl http_ports port 8080

acl Ssl_ports port 443
acl Ssl_ports port 9571
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443

acl ssh_ports port 22
acl ftp_ports port 21
http_access deny !Safe_ports
acl method_CONNECT method CONNECT
dsacl methods_std method GET HEAD POST PUT DELETE
acl methods_std method TRACE OPTIONS

##############################################################################
# Access control - maintenance
##############################################################################

acl purge method PURGE
http_access allow purge src_self
http_access deny purge
acl cache_manager proto cache_object
cachemgr_passwd disabled shutdown offline_toggle
cachemgr_passwd none all
http_access allow cache_manager src_self
http_access deny cache_manager

#############################################################################
# Access control - general proxy
##############################################################################

http_access deny dst_self
http_access deny src_self
http_access deny !from_arc
http_access       allow local_dst_dom
http_reply_access           allow local_dst_dom
http_access       allow local_dst_addr
http_reply_access           allow local_dst_addr
acl authless_src src "/etc/squid/authless_src"
http_access       allow authless_src
http_reply_access           allow authless_src
acl authless_dst dstdomain "/etc/squid/authless_dst"
http_access       allow authless_dst
http_reply_access           allow authless_dst
acl bad_domains_preauth dstdomain "/etc/squid/bad_domains_preauth"
http_access deny bad_domains_preauth

acl block_user proxy_auth_regex -i "/etc/squid/block_user"
http_access deny block_user
acl bad_exception_urls url_regex -i "/etc/squid/bad_exception_urls"
acl exec_files url_regex -i "/etc/squid/exec_files"
acl exec_users proxy_auth_regex -i "/etc/squid/exec_users"
http_access deny !bad_exception_urls !exec_users exec_files
deny_info ERR_BLOCK_TYPE exec_files
acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users"
acl mmedia_sites dstdomain "/etc/squid/mmedia_sites"
http_access       allow methods_std    proto_HTTP http_ports mmedia_sites mmedia_users
http_reply_access allow methods_std    proto_HTTP http_ports mmedia_sites mmedia_users
http_access       allow method_CONNECT            ssl_ports  mmedia_sites mmedia_users
http_reply_access allow method_CONNECT            ssl_ports  mmedia_sites mmedia_users

acl bad_domains dstdomain "/etc/squid/bad_domains"
http_access deny !bad_exception_urls bad_domains
deny_info ERR_BLOCK_DST         bad_domains
acl bad_domains_regex dstdom_regex -i "/etc/squid/bad_domains_regex"
http_access deny !bad_exception_urls bad_domains_regex
deny_info ERR_BLOCK_DST         bad_domains_regex
acl bad_urls url_regex -i "/etc/squid/bad_urls"
http_access deny !bad_exception_urls bad_urls
deny_info ERR_BLOCK_DST         bad_urls
acl bad_files urlpath_regex -i "/etc/squid/bad_files"
http_access deny !bad_exception_urls bad_files
deny_info ERR_BLOCK_TYPE bad_files
acl bad_types rep_mime_type -i "/etc/squid/bad_types"
http_reply_access deny bad_types !bad_exception_urls
deny_info ERR_BLOCK_TYPE bad_types

acl fsoguest_user proxy_auth_regex -i fsoguest
acl fsoguest_dst dstdomain .opm.gov
acl fsoguest_dst dstdomain .google-analytics.com
acl fsoguest_dst dstdomain pki.google.com
acl fsoguest_dst dstdomain ajax.googleapis.com
acl fsoguest_dst dstdomain fonts.googleapis.com
acl fsoguest_dst dstdomain html5shiv.googlecode.com
acl fsoguest_dst dstdomain fonts.gstatic.com
acl fsoguest_dst dstdomain clients1.google.com
acl fsoguest_dst dstdomain ajax.microsoft.com
acl fsoguest_dst dstdomain ajax.aspnetcdn.com
acl fsoguest_dst dstdomain .geotrust.com
acl fsoguest_dst dstdomain .akamaihd.net
acl fsoguest_dst dstdomain symcd.com
http_access allow methods_std proto_HTTP http_ports fsoguest_dst fsoguest_user
http_access allow method_CONNECT         ssl_ports  fsoguest_dst fsoguest_user
http_access deny fsoguest_user

http_access allow http_ports proto_HTTP methods_std
http_access allow method_CONNECT ssl_ports
http_access deny method_CONNECT

http_access allow ftp_ports proto_FTP
http_access deny all
http_reply_access allow all

##############################################################################
# END OF FILE
##############################################################################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240819/8c2231b8/attachment-0001.htm>


More information about the squid-users mailing list