[squid-users] can't explain 403 denied for authenticated

Amos Jeffries squid3 at treenet.co.nz
Thu Jun 6 04:04:18 UTC 2024 

Free config audit inline ...

On 6/06/24 05:24, Kevin wrote:
> 
> Understood.   Here it is:
> 
> 
> acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
> acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
> acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
> acl localnet src fc00::/7       # RFC 4193 local private network range
> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
> acl windows_net src 172.18.114.0/24
> acl sample_host src 172.18.115.1/32
> acl rsync port 873

You can remove the above line. This "rsync" ACL is unused and the port 
is added directly to the SSL_Ports and Safe_ports.


> acl SSL_ports port 443
> acl SSL_ports port 873		#873 is rsync
> acl Safe_ports port 80		# http
> acl Safe_ports port 21		# ftp
> acl Safe_ports port 443		# https
> acl Safe_ports port 70		# gopher
> acl Safe_ports port 210		# wais
> acl Safe_ports port 1025-65535	# unregistered ports
> acl Safe_ports port 280		# http-mgmt
> acl Safe_ports port 488		# gss-http
> acl Safe_ports port 591		# filemaker
> acl Safe_ports port 777		# multiling http
> acl Safe_ports port 873
> acl CONNECT method CONNECT

You can remove the above line. "CONNECT" is a built-in ACL.


> acl PURGE method PURGE

Your proxy is configured with "cache deny all" preventing anything being 
stored.

As such you can improve performance somewhat by removing the "acl PURGE" 
and all config below that uses it.


> acl localhost src 127.0.0.1

You can remove the above line. "localhost" is a built-in ACL.


> http_access allow PURGE localhost
> http_access deny PURGE
> acl URN proto URN
> http_access deny URN
> http_access deny manager
> acl API_FIREFOX dstdomain api.profiler.firefox.com
> http_access deny API_FIREFOX
> acl ff_browser browser ^Mozilla/5\.0
> acl rma_ua browser ^RMA/1\.0.*compatible;.RealMedia
> uri_whitespace encode

Hmm. Accepting whitespace in URLs is a risky choice. One can never be 
completely sure how third-party agents in the network are handling it 
before the request arrived.

If (big IF) you are able to use "uri_whitespace deny" this proxy would 
be a bit more secure. This is just a suggestion, you know best here.


> acl trellix_phone_cloud dstdomain amcore-ens.rest.gti.trellix.com
> http_access deny trellix_phone_cloud
> external_acl_type host_based_filter children-max=15 ttl=0 %ACL %DATA %SRC %>rd %>rP  /PATH/TO/FILTER/SCRIPT.py
> acl HostBasedRules external host_based_filter
> http_access allow HostBasedRules
> auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwd
> auth_param digest realm squid
> auth_param digest children 2
> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/basic_passwd
> auth_param basic children 2
> auth_param basic realm squidb
> auth_param basic credentialsttl 2 hours

> acl auth_users proxy_auth REQUIRED
> external_acl_type custom_acl_db children-max=15 ttl=0 %ACL %DATA %ul %SRC %>rd %>rP %credentials /PATH/TO/FILTER/SCRIPT.py
> acl CustomAclDB external custom_acl_db
> http_access allow CustomAclDB


Hmm, this use of combined authentication+authorization is a bit tricky 
with two layers of asynchronous helper lookups going on. That alone 
might be what is going on with the weird 403's.


A better sequence would be:

  # ensure login is performed
  http_access deny !auth_users

  # check the access permissions for whichever user logged in
  http_access allow CustomAclDB


> acl CRLs url_regex "/etc/squid/conf.d/CRL_urls.txt"
> http_access allow CRLs
> deny_info 303:https://abc.def.com/


FYI; deny_info is a way to customize what happens when the "deny" action 
is performed an a specific ACL match.

The above deny_info line does nothing unless you name which ACL(s) it is 
to become the action for and also those ACLs are used in a "deny" rule.

For example:

  acl redirect_HTTPS url_regex ^http://example\.com
  deny_info 303:https://example.com%rp redirect_HTTPS
  http_access deny redirect_HTTPS



> http_access deny all


So ... none of the http_access lines below here are doing anything.


> acl apache rep_header Server ^Apache
> icp_access allow localnet
> icp_access deny all


These lines...

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

.. to here are supposed to protect your proxy against some nasty DDoS 
type attacks.

They need to be first out of all your http_access lines in order to do 
that efficiently.


The http_access below are optional from our default squid.conf setup. 
Since your install does not appear to need them they can just be removed.


> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost

> http_port 3128
> coredump_dir /var/cache/squid
> refresh_pattern ^ftp:		1440	20%	10080
> refresh_pattern ^gopher:	1440	0%	1440
> refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
> refresh_pattern .		0	20%	4320
> logformat squid %ts.%03tu %6tr %>a %Ss/%>Hs %<st %rm %ru %un %Sh/%<A %mt
> logformat squidmime %ul %ts.%03tu %6tr %>a %Ss/%>Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
> logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
> logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh


Please do not re-define the "squid", "common" and "combined" names for 
custom logformat names. Use custom format names for your customized outputs.


> logformat ip_port %ts %tu %>a %>p %<lp %<a %<p %dt %tr %un %>ru %Ss
> access_log daemon:/var/log/squid/access.log combined
> access_log daemon:/var/log/squid/network.log ip_port
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log


You have defined "cache deny all" to prevent anything being stored.
You should be able to remove the above line entirely.


> access_log daemon:/var/log/squid/useragent.log useragent
> visible_hostname proxy.abc.com
> cache deny all



HTH
Amos

More information about the squid-users mailing list