[squid-users] can't explain 403 denied for authenticated

Jonathan Lee jonathanlee571 at gmail.com
Fri Jun 7 06:16:09 UTC 2024


You can also add this to lock down the proxy after hours so nothing is used much like locking a door, whatever is inside is going to keep working ie connections already established however all new connections will be blocked. I love this one 

acl block_hours time 00:30-05:00
ssl_bump terminate all block_hours
http_access deny all block_hours

however this is for use with ssl intercept and root certificates installed however it also works for spliced connections as it comes before everything else the terminate everything line 

you can also if you want to lock down to specific mac addresses ie small office home network 

use 

eui_lookup on


Example of use with mac addresses

acl splice_only src 192.168.1.8 #Tasha iPhone
acl splice_only src 192.168.1.10 #Jon iPhone
acl splice_only src 192.168.1.11 #Amazon Fire
acl splice_only src 192.168.1.15 #Tasha HP
acl splice_only src 192.168.1.16 #iPad

acl splice_only_mac arp  (unique 48bit hardware address here)
acl splice_only_mac arp (unique 48bit hardware address here)
acl splice_only_mac arp (unique 48bit hardware address here)
acl splice_only_mac arp  (unique 48bit hardware address here)
acl splice_only_mac arp  (unique 48bit hardware address here)

acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump"
acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump"

acl markBumped annotate_client bumped=true
acl active_use annotate_client active=true
acl bump_only src 192.168.1.3 #webtv
acl bump_only src 192.168.1.4 #toshiba
acl bump_only src 192.168.1.5 #imac
acl bump_only src 192.168.1.9 #macbook
acl bump_only src 192.168.1.13 #dell

acl bump_only_mac arp (unique 48bit hardware address here)
acl bump_only_mac arp  (unique 48bit hardware address here)
acl bump_only_mac arp  (unique 48bit hardware address here)
acl bump_only_mac arp  (unique 48bit hardware address here)
acl bump_only_mac arp  (unique 48bit hardware address here)

ssl_bump peek step1
miss_access deny no_miss active_use
ssl_bump splice https_login active_use
ssl_bump splice splice_only_mac splice_only active_use (this works as “and logic” except my annotate active use)
ssl_bump splice NoBumpDNS active_use
ssl_bump splice NoSSLIntercept active_use
ssl_bump bump bump_only_mac bump_only active_use
acl activated note active_use true
ssl_bump terminate !activated

acl markedBumped note bumped true
url_rewrite_access deny markedBumped

> On Jun 6, 2024, at 12:08, Kevin <squid at kretz.net> wrote:
> 
> >> uri_whitespace encode
> >
> >Hmm. Accepting whitespace in URLs is a risky choice. One can never be
> >completely sure how third-party agents in the network are handling it
> >before the request arrived.
> >
> >If (big IF) you are able to use "uri_whitespace deny" this proxy would
> >be a bit more secure. This is just a suggestion, you know best here.
> 
> I think that was a workaround for a vulnerability.  If it was, it may no longer be needed.
> 
> 
> >
> >> acl trellix_phone_cloud dstdomain amcore-ens.rest.gti.trellix.com
> >> http_access deny trellix_phone_cloud
> >> external_acl_type host_based_filter children-max=15 ttl=0 0X0P+0CL >> acl HostBasedRules external host_based_filter
> >> http_access allow HostBasedRules
> >> auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/passwd
> >> auth_param digest realm squid
> >> auth_param digest children 2
> >> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/basic_passwd
> >> auth_param basic children 2
> >> auth_param basic realm squidb
> >> auth_param basic credentialsttl 2 hours
> >
> >> acl auth_users proxy_auth REQUIRED
> >> external_acl_type custom_acl_db children-max=15 ttl=0 0X0P+0CL >> acl CustomAclDB external custom_acl_db
> >> http_access allow CustomAclDB
> >
> >
> >Hmm, this use of combined authentication+authorization is a bit tricky
> >with two layers of asynchronous helper lookups going on. That alone
> >might be what is going on with the weird 403's.
> >
> >
> >A better sequence would be:
> >
> ># ensure login is performed
> >http_access deny !auth_users
> >
> ># check the access permissions for whichever user logged in
> >http_access allow CustomAclDB
> 
> 
> The first call the the external_acl is to process unauthenticated requests.   Is the suggestion to replace
> 
> acl auth_users proxy_auth REQUIRED
> 
> with
> 
> http_access deny !auth_users
> 
> before the second external_acl (for authenticated requests)?
> 
> 
> 
> 
> Thanks again, very much
> 
> 
> Kevin
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240606/99fc975e/attachment.htm>


More information about the squid-users mailing list