[squid-users] Squid.conf Issues
Alex Rousskov
rousskov at measurement-factory.com
Mon Aug 19 16:11:32 UTC 2024
On 2024-08-19 11:16, Piana, Josh wrote:
> After setting up the backend using realmD, sssd, with Kerberos
> authentication, I tested with a Windows “squidaduser” account. I can
> verify the user accounts connection to the proxy, and it is passing
> traffic. The issue is, it’s not being blocked by ANY of the acl’s we
> have in place. I was hoping to reach out to help me identify the issue
> with the squid.conf file. This is my assumption to be the issue but I am
> pretty new at using Linux and completely unfamiliar with setting up a
> web proxy.
In most cases, when Squid does not block, it allows. Squid allows when
an "http_access allow" rule matches. Now look at _all_ of your
http_access rules and ask yourself: Which "http_access allow" rule
matches in my test case?
I do not know enough about your test logic, so I can only speculate that
the answer to that question is "It is the very first http_access rule!":
http_access allow kerb-auth
In other words, your configuration allows all authenticated clients. In
other words, it does not block any authenticated clients. Is that what
you want?
HTH,
Alex.
> Environment:
>
> Squid Cache: Version 5.5
>
> RHEL 9.4 on a HyperV VM
>
> Linux Client Proxy in a Windows AD environment
>
> Below I will post the config and attempt to edit out any relevant
> company/personal information:
>
> ##############################################################################
>
> # General
>
> ##############################################################################
>
> max_filedesc 4096
>
> cache_mgr ARCITAdmin at hexcel.com
>
> cache_effective_user squid
>
> cache_effective_group squid
>
> shutdown_lifetime 5 seconds
>
> ##############################################################################
>
> # Logging
>
> ##############################################################################
>
> # this makes the logs readable to humans
>
> logformat custom %tl.%03tu %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
>
> access_log daemon:/var/log/squid/access.log custom
>
> logfile_rotate 10
>
> debug_options ALL,1
>
> buffered_logs off
>
> cache_log /var/log/squid/general
>
> cache_access_log /var/log/squid/access.log
>
> cache_store_log none
>
> log_mime_hdrs off
>
> strip_query_terms off
>
> ##############################################################################
>
> # Network - General/misc
>
> ##############################################################################
>
> # our HTTP proxy port
>
> http_port 10.46.11.69:8080
>
> # loopback management
>
> http_port 127.0.0.1:3128
>
> icp_port 0
>
> forwarded_for off
>
> ##############################################################################
>
> # Network timeout settings
>
> ##############################################################################
>
> connect_timeout 30 seconds
>
> peer_connect_timeout 20 seconds
>
> read_timeout 2 minutes
>
> request_timeout 2 minutes
>
> persistent_request_timeout 30 seconds
>
> ##############################################################################
>
> # Configuration of the local cache itself
>
> ##############################################################################
>
> cache_dir ufs /var/spool/squid/ 10000 16 256
>
> coredump_dir /var/spool/squid/
>
> cache_replacement_policy heap LFUDA
>
> memory_replacement_policy lru
>
> cache_mem 256 MB
>
> maximum_object_size 32 MB
>
> maximum_object_size_in_memory 512 KB
>
> quick_abort_min 16 KB
>
> quick_abort_max 1 MB
>
> quick_abort_pct 90
>
> range_offset_limit 64 KB
>
> ##############################################################################
>
> # Cache control
>
> ##############################################################################
>
> acl no_cache_url url_regex -i "/etc/squid/no_cache_url"
>
> cache deny no_cache_url
>
> ##############################################################################
>
> # Authentication
>
> ##############################################################################
>
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k
> /etc/squid/HTTP.keytab -s HTTP/<domain>.ad.<domain>.com at AD.<domain>.COM
>
> auth_param negotiate children 10
>
> auth_param negotiate keep_alive on
>
> acl kerb-auth proxy_auth REQUIRED
>
> http_access allow kerb-auth
>
> ##############################################################################
>
> # Access control - shared/common ACL definitions
>
> ##############################################################################
>
> # acl all src all
>
> acl src_self src 127.0.0.0/8
>
> acl src_self src 10.46.11.69
>
> acl dst_self dst 127.0.0.0/8
>
> acl dst_self dst 10.46.11.69
>
> acl from_arc src 10.46.0.0/15
>
> acl local_dst_addr dst 10.0.0.0/8
>
> acl local_dst_addr dst bldg3.<domain>.com
>
> acl local_dst_addr dst bldg5.<domain>.com
>
> acl local_dst_dom dstdomain <domain>
>
> acl proto_FTP proto FTP
>
> acl proto_HTTP proto HTTP
>
> acl localnet src 10.46.49.0/24
>
> acl localnet src 10.47.49.0/24
>
> acl http_ports port 80
>
> acl http_ports port 81
>
> acl http_ports port 8001
>
> acl http_ports port 8080
>
> acl Ssl_ports port 443
>
> acl Ssl_ports port 9571
>
> acl SSL_ports port 443
>
> acl Safe_ports port 80
>
> acl Safe_ports port 21
>
> acl Safe_ports port 443
>
> acl ssh_ports port 22
>
> acl ftp_ports port 21
>
> http_access deny !Safe_ports
>
> acl method_CONNECT method CONNECT
>
> dsacl methods_std method GET HEAD POST PUT DELETE
>
> acl methods_std method TRACE OPTIONS
>
> ##############################################################################
>
> # Access control - maintenance
>
> ##############################################################################
>
> acl purge method PURGE
>
> http_access allow purge src_self
>
> http_access deny purge
>
> acl cache_manager proto cache_object
>
> cachemgr_passwd disabled shutdown offline_toggle
>
> cachemgr_passwd none all
>
> http_access allow cache_manager src_self
>
> http_access deny cache_manager
>
> #############################################################################
>
> # Access control - general proxy
>
> ##############################################################################
>
> http_access deny dst_self
>
> http_access deny src_self
>
> http_access deny !from_arc
>
> http_access allow local_dst_dom
>
> http_reply_access allow local_dst_dom
>
> http_access allow local_dst_addr
>
> http_reply_access allow local_dst_addr
>
> acl authless_src src "/etc/squid/authless_src"
>
> http_access allow authless_src
>
> http_reply_access allow authless_src
>
> acl authless_dst dstdomain "/etc/squid/authless_dst"
>
> http_access allow authless_dst
>
> http_reply_access allow authless_dst
>
> acl bad_domains_preauth dstdomain "/etc/squid/bad_domains_preauth"
>
> http_access deny bad_domains_preauth
>
> acl block_user proxy_auth_regex -i "/etc/squid/block_user"
>
> http_access deny block_user
>
> acl bad_exception_urls url_regex -i "/etc/squid/bad_exception_urls"
>
> acl exec_files url_regex -i "/etc/squid/exec_files"
>
> acl exec_users proxy_auth_regex -i "/etc/squid/exec_users"
>
> http_access deny !bad_exception_urls !exec_users exec_files
>
> deny_info ERR_BLOCK_TYPE exec_files
>
> acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users"
>
> acl mmedia_sites dstdomain "/etc/squid/mmedia_sites"
>
> http_access allow methods_std proto_HTTP http_ports
> mmedia_sites mmedia_users
>
> http_reply_access allow methods_std proto_HTTP http_ports
> mmedia_sites mmedia_users
>
> http_access allow method_CONNECT ssl_ports
> mmedia_sites mmedia_users
>
> http_reply_access allow method_CONNECT ssl_ports
> mmedia_sites mmedia_users
>
> acl bad_domains dstdomain "/etc/squid/bad_domains"
>
> http_access deny !bad_exception_urls bad_domains
>
> deny_info ERR_BLOCK_DST bad_domains
>
> acl bad_domains_regex dstdom_regex -i "/etc/squid/bad_domains_regex"
>
> http_access deny !bad_exception_urls bad_domains_regex
>
> deny_info ERR_BLOCK_DST bad_domains_regex
>
> acl bad_urls url_regex -i "/etc/squid/bad_urls"
>
> http_access deny !bad_exception_urls bad_urls
>
> deny_info ERR_BLOCK_DST bad_urls
>
> acl bad_files urlpath_regex -i "/etc/squid/bad_files"
>
> http_access deny !bad_exception_urls bad_files
>
> deny_info ERR_BLOCK_TYPE bad_files
>
> acl bad_types rep_mime_type -i "/etc/squid/bad_types"
>
> http_reply_access deny bad_types !bad_exception_urls
>
> deny_info ERR_BLOCK_TYPE bad_types
>
> acl fsoguest_user proxy_auth_regex -i fsoguest
>
> acl fsoguest_dst dstdomain .opm.gov
>
> acl fsoguest_dst dstdomain .google-analytics.com
>
> acl fsoguest_dst dstdomain pki.google.com
>
> acl fsoguest_dst dstdomain ajax.googleapis.com
>
> acl fsoguest_dst dstdomain fonts.googleapis.com
>
> acl fsoguest_dst dstdomain html5shiv.googlecode.com
>
> acl fsoguest_dst dstdomain fonts.gstatic.com
>
> acl fsoguest_dst dstdomain clients1.google.com
>
> acl fsoguest_dst dstdomain ajax.microsoft.com
>
> acl fsoguest_dst dstdomain ajax.aspnetcdn.com
>
> acl fsoguest_dst dstdomain .geotrust.com
>
> acl fsoguest_dst dstdomain .akamaihd.net
>
> acl fsoguest_dst dstdomain symcd.com
>
> http_access allow methods_std proto_HTTP http_ports fsoguest_dst
> fsoguest_user
>
> http_access allow method_CONNECT ssl_ports fsoguest_dst
> fsoguest_user
>
> http_access deny fsoguest_user
>
> http_access allow http_ports proto_HTTP methods_std
>
> http_access allow method_CONNECT ssl_ports
>
> http_access deny method_CONNECT
>
> http_access allow ftp_ports proto_FTP
>
> http_access deny all
>
> http_reply_access allow all
>
> ##############################################################################
>
> # END OF FILE
>
> ##############################################################################
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list