[squid-users] Squid.conf Issues

Alex Rousskov rousskov at measurement-factory.com
Mon Aug 19 20:15:06 UTC 2024


On 2024-08-19 13:48, Piana, Josh wrote:

> I added "http_access allow kerb-auth" as part of the generic
> authentication settings.
> 
> We still want authenticated users to access but we want the rules and
> ACL's prior to that to catch them first.

If you want http_access rule X to be checked before http_access rule Y, 
you have to list X above Y in squid.conf: Squid checks all http_access 
directives one by one, top to bottom. At the first match, Squid applies 
the matched action ("allow" or "deny") and does not check any 
other/lower http_access rules.


> I apologize, I'm quite new with Linux. Should I move that parameter
> to near the end of the config file or remove it all together?

FWIW, these access controls are not Linux-specific. I cannot tell you 
what http_access order is correct because I do not know what "We want 
authenticated users to access but we want to catch them first" means to 
you in terms of actual access rules. There are many ways to interpret 
that phrase...

In general, rules that do not depend on whether a user is authenticated 
should go above the rules that do depend (or require) authentication. 
This principle avoids needless authentication of potentially malicious 
requests. FWIW, squid.conf.default has http_access order template that 
work for most use cases; you may want to start with that template rather 
than starting from scratch.

For example, if an "allow authless_dst" rule is meant to apply to both 
already-authenticated and not-yet-authenticated requests, then it 
probably should go above the "allow kerb-auth" rule (which triggers 
authentication), but there are many other ways these two rules may 
interact. I cannot tell which order matches your access policies/desires.


HTH,

Alex.


> -----Original Message-----
> From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Alex Rousskov
> Sent: Monday, August 19, 2024 12:12 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Squid.conf Issues
> 
> Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> 
> 
> On 2024-08-19 11:16, Piana, Josh wrote:
> 
>> After setting up the backend using realmD, sssd, with Kerberos
>> authentication, I tested with a Windows “squidaduser” account. I can
>> verify the user accounts connection to the proxy, and it is passing
>> traffic. The issue is, it’s not being blocked by ANY of the acl’s we
>> have in place. I was hoping to reach out to help me identify the issue
>> with the squid.conf file. This is my assumption to be the issue but I
>> am pretty new at using Linux and completely unfamiliar with setting up
>> a web proxy.
> 
> In most cases, when Squid does not block, it allows. Squid allows when an "http_access allow" rule matches. Now look at _all_ of your http_access rules and ask yourself: Which "http_access allow" rule matches in my test case?
> 
> I do not know enough about your test logic, so I can only speculate that the answer to that question is "It is the very first http_access rule!":
> 
>       http_access allow kerb-auth
> 
> In other words, your configuration allows all authenticated clients. In other words, it does not block any authenticated clients. Is that what you want?
> 
> 
> HTH,
> 
> Alex.
> 
> 
> 
>> Environment:
>>
>> Squid Cache: Version 5.5
>>
>> RHEL 9.4 on a HyperV VM
>>
>> Linux Client Proxy in a Windows AD environment
>>
>> Below I will post the config and attempt to edit out any relevant
>> company/personal information:
>>
>> ######################################################################
>> ########
>>
>> # General
>>
>> ######################################################################
>> ########
>>
>> max_filedesc 4096
>>
>> cache_mgr ARCITAdmin at hexcel.com
>>
>> cache_effective_user squid
>>
>> cache_effective_group squid
>>
>> shutdown_lifetime 5 seconds
>>
>> ######################################################################
>> ########
>>
>> # Logging
>>
>> ######################################################################
>> ########
>>
>> # this makes the logs readable to humans
>>
>> logformat custom %tl.%03tu %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a
>> %mt
>>
>> access_log daemon:/var/log/squid/access.log custom
>>
>> logfile_rotate 10
>>
>> debug_options ALL,1
>>
>> buffered_logs off
>>
>> cache_log /var/log/squid/general
>>
>> cache_access_log /var/log/squid/access.log
>>
>> cache_store_log none
>>
>> log_mime_hdrs off
>>
>> strip_query_terms off
>>
>> ######################################################################
>> ########
>>
>> # Network - General/misc
>>
>> ######################################################################
>> ########
>>
>> # our HTTP proxy port
>>
>> http_port 10.46.11.69:8080
>>
>> # loopback management
>>
>> http_port 127.0.0.1:3128
>>
>> icp_port 0
>>
>> forwarded_for off
>>
>> ######################################################################
>> ########
>>
>> # Network timeout settings
>>
>> ######################################################################
>> ########
>>
>> connect_timeout 30 seconds
>>
>> peer_connect_timeout 20 seconds
>>
>> read_timeout 2 minutes
>>
>> request_timeout 2 minutes
>>
>> persistent_request_timeout 30 seconds
>>
>> ######################################################################
>> ########
>>
>> # Configuration of the local cache itself
>>
>> ######################################################################
>> ########
>>
>> cache_dir ufs /var/spool/squid/ 10000 16 256
>>
>> coredump_dir /var/spool/squid/
>>
>> cache_replacement_policy heap LFUDA
>>
>> memory_replacement_policy lru
>>
>> cache_mem 256 MB
>>
>> maximum_object_size 32 MB
>>
>> maximum_object_size_in_memory 512 KB
>>
>> quick_abort_min 16 KB
>>
>> quick_abort_max 1 MB
>>
>> quick_abort_pct 90
>>
>> range_offset_limit 64 KB
>>
>> ######################################################################
>> ########
>>
>> # Cache control
>>
>> ######################################################################
>> ########
>>
>> acl no_cache_url url_regex -i "/etc/squid/no_cache_url"
>>
>> cache deny no_cache_url
>>
>> ######################################################################
>> ########
>>
>> # Authentication
>>
>> ######################################################################
>> ########
>>
>> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
>> -k /etc/squid/HTTP.keytab -s
>> HTTP/<domain>.ad.<domain>.com at AD.<domain>.COM
>>
>> auth_param negotiate children 10
>>
>> auth_param negotiate keep_alive on
>>
>> acl kerb-auth proxy_auth REQUIRED
>>
>> http_access allow kerb-auth
>>
>> ######################################################################
>> ########
>>
>> # Access control - shared/common ACL definitions
>>
>> ######################################################################
>> ########
>>
>> # acl all src all
>>
>> acl src_self src 127.0.0.0/8
>>
>> acl src_self src 10.46.11.69
>>
>> acl dst_self dst 127.0.0.0/8
>>
>> acl dst_self dst 10.46.11.69
>>
>> acl from_arc src 10.46.0.0/15
>>
>> acl local_dst_addr dst 10.0.0.0/8
>>
>> acl local_dst_addr dst bldg3.<domain>.com
>>
>> acl local_dst_addr dst bldg5.<domain>.com
>>
>> acl local_dst_dom dstdomain <domain>
>>
>> acl proto_FTP proto FTP
>>
>> acl proto_HTTP proto HTTP
>>
>> acl localnet src 10.46.49.0/24
>>
>> acl localnet src 10.47.49.0/24
>>
>> acl http_ports port 80
>>
>> acl http_ports port 81
>>
>> acl http_ports port 8001
>>
>> acl http_ports port 8080
>>
>> acl Ssl_ports port 443
>>
>> acl Ssl_ports port 9571
>>
>> acl SSL_ports port 443
>>
>> acl Safe_ports port 80
>>
>> acl Safe_ports port 21
>>
>> acl Safe_ports port 443
>>
>> acl ssh_ports port 22
>>
>> acl ftp_ports port 21
>>
>> http_access deny !Safe_ports
>>
>> acl method_CONNECT method CONNECT
>>
>> dsacl methods_std method GET HEAD POST PUT DELETE
>>
>> acl methods_std method TRACE OPTIONS
>>
>> ######################################################################
>> ########
>>
>> # Access control - maintenance
>>
>> ######################################################################
>> ########
>>
>> acl purge method PURGE
>>
>> http_access allow purge src_self
>>
>> http_access deny purge
>>
>> acl cache_manager proto cache_object
>>
>> cachemgr_passwd disabled shutdown offline_toggle
>>
>> cachemgr_passwd none all
>>
>> http_access allow cache_manager src_self
>>
>> http_access deny cache_manager
>>
>> ######################################################################
>> #######
>>
>> # Access control - general proxy
>>
>> ######################################################################
>> ########
>>
>> http_access deny dst_self
>>
>> http_access deny src_self
>>
>> http_access deny !from_arc
>>
>> http_access       allow local_dst_dom
>>
>> http_reply_access           allow local_dst_dom
>>
>> http_access       allow local_dst_addr
>>
>> http_reply_access           allow local_dst_addr
>>
>> acl authless_src src "/etc/squid/authless_src"
>>
>> http_access       allow authless_src
>>
>> http_reply_access           allow authless_src
>>
>> acl authless_dst dstdomain "/etc/squid/authless_dst"
>>
>> http_access       allow authless_dst
>>
>> http_reply_access           allow authless_dst
>>
>> acl bad_domains_preauth dstdomain "/etc/squid/bad_domains_preauth"
>>
>> http_access deny bad_domains_preauth
>>
>> acl block_user proxy_auth_regex -i "/etc/squid/block_user"
>>
>> http_access deny block_user
>>
>> acl bad_exception_urls url_regex -i "/etc/squid/bad_exception_urls"
>>
>> acl exec_files url_regex -i "/etc/squid/exec_files"
>>
>> acl exec_users proxy_auth_regex -i "/etc/squid/exec_users"
>>
>> http_access deny !bad_exception_urls !exec_users exec_files
>>
>> deny_info ERR_BLOCK_TYPE exec_files
>>
>> acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users"
>>
>> acl mmedia_sites dstdomain "/etc/squid/mmedia_sites"
>>
>> http_access       allow methods_std    proto_HTTP http_ports
>> mmedia_sites mmedia_users
>>
>> http_reply_access allow methods_std    proto_HTTP http_ports
>> mmedia_sites mmedia_users
>>
>> http_access       allow method_CONNECT            ssl_ports
>> mmedia_sites mmedia_users
>>
>> http_reply_access allow method_CONNECT            ssl_ports
>> mmedia_sites mmedia_users
>>
>> acl bad_domains dstdomain "/etc/squid/bad_domains"
>>
>> http_access deny !bad_exception_urls bad_domains
>>
>> deny_info ERR_BLOCK_DST         bad_domains
>>
>> acl bad_domains_regex dstdom_regex -i "/etc/squid/bad_domains_regex"
>>
>> http_access deny !bad_exception_urls bad_domains_regex
>>
>> deny_info ERR_BLOCK_DST         bad_domains_regex
>>
>> acl bad_urls url_regex -i "/etc/squid/bad_urls"
>>
>> http_access deny !bad_exception_urls bad_urls
>>
>> deny_info ERR_BLOCK_DST         bad_urls
>>
>> acl bad_files urlpath_regex -i "/etc/squid/bad_files"
>>
>> http_access deny !bad_exception_urls bad_files
>>
>> deny_info ERR_BLOCK_TYPE bad_files
>>
>> acl bad_types rep_mime_type -i "/etc/squid/bad_types"
>>
>> http_reply_access deny bad_types !bad_exception_urls
>>
>> deny_info ERR_BLOCK_TYPE bad_types
>>
>> acl fsoguest_user proxy_auth_regex -i fsoguest
>>
>> acl fsoguest_dst dstdomain .opm.gov
>>
>> acl fsoguest_dst dstdomain .google-analytics.com
>>
>> acl fsoguest_dst dstdomain pki.google.com
>>
>> acl fsoguest_dst dstdomain ajax.googleapis.com
>>
>> acl fsoguest_dst dstdomain fonts.googleapis.com
>>
>> acl fsoguest_dst dstdomain html5shiv.googlecode.com
>>
>> acl fsoguest_dst dstdomain fonts.gstatic.com
>>
>> acl fsoguest_dst dstdomain clients1.google.com
>>
>> acl fsoguest_dst dstdomain ajax.microsoft.com
>>
>> acl fsoguest_dst dstdomain ajax.aspnetcdn.com
>>
>> acl fsoguest_dst dstdomain .geotrust.com
>>
>> acl fsoguest_dst dstdomain .akamaihd.net
>>
>> acl fsoguest_dst dstdomain symcd.com
>>
>> http_access allow methods_std proto_HTTP http_ports fsoguest_dst
>> fsoguest_user
>>
>> http_access allow method_CONNECT         ssl_ports  fsoguest_dst
>> fsoguest_user
>>
>> http_access deny fsoguest_user
>>
>> http_access allow http_ports proto_HTTP methods_std
>>
>> http_access allow method_CONNECT ssl_ports
>>
>> http_access deny method_CONNECT
>>
>> http_access allow ftp_ports proto_FTP
>>
>> http_access deny all
>>
>> http_reply_access allow all
>>
>> ######################################################################
>> ########
>>
>> # END OF FILE
>>
>> ######################################################################
>> ########
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> https://list/
>> s.squid-cache.org%2Flistinfo%2Fsquid-users&data=05%7C02%7Cjosh.piana%4
>> 0hexcel.com%7C5d5a04837ae140f50c6908dcc0699c20%7C4248050df19546d5ac9c0
>> c7c52b04cae%7C0%7C0%7C638596807060587199%7CUnknown%7CTWFpbGZsb3d8eyJWI
>> joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7
>> C%7C&sdata=pFmtS4HPHBRLFvcthpxiXT8mgF7mmpsGfQYF1wlivJo%3D&reserved=0
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list