[squid-users] Access Log Question

Piana, Josh Josh.Piana at hexcel.com
Tue Nov 12 15:43:06 UTC 2024 

Yeah, we have a few. 

I'll try to detail them below, I apologize for any formatting weirdness. 

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/HTTP.keytab -s HTTP/arcgate2.ad.arc-tech.com at AD.ARC-TECH.COM
auth_param negotiate children 10
auth_param negotiate keep_alive on
auth_param basic credentialsttl 2 hours
auth_param basic realm ArcTech Proxy Server

acl localhost src 10.46.11.69
acl localhost src 127.0.0.0/8          
acl localnet dst 10.0.0.0/8          
acl localnet dst 172.0.0.0/8           
acl localnet dst bldg3.arc-tech.com.  
acl localnet dst bldg5.arc-tech.com.   

acl SSL_ports port 443          
acl SSL_ports port 5001             
acl SSL_ports port 4434            
acl SSL_ports port 9251            
acl Safe_ports port 21             
acl Safe_ports port 22          
acl Safe_ports port 80           
acl Safe_ports port 443            
acl Safe_ports port 8080         
acl Safe_ports port 8443         
acl Safe_ports port 1025-65535

acl kerb-auth proxy_auth REQUIRED
acl CONNECT method CONNECT
acl local_dst_dom dstdomain arcgate2

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow local_dst_dom
http_access allow localnet

acl bad_domains_preauth dstdomain "/etc/squid/bad_domains_preauth"
http_access deny bad_domains_preauth

#acl block_user proxy_auth_regex -i "/etc/squid/block_user"
#http_access deny block_user

acl bad_exception_urls url_regex -i "/etc/squid/bad_exception_urls"
http_access allow !bad_exception_urls

acl exec_files url_regex -i "/etc/squid/exec_files"
#acl exec_users proxy_auth_regex -i "/etc/squid/exec_users"
http_access deny !bad_exception_urls exec_files
deny_info ERR_BLOCK_TYPE exec_files

#acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users"
acl mmedia_sites dstdomain "/etc/squid/mmedia_sites"
http_access allow CONNECT safe_ports SSL_ports mmedia_sites

acl bad_domains dstdomain "/etc/squid/bad_domains"
http_access deny !bad_exception_urls bad_domains
deny_info ERR_BLOCK_DST bad_domains

acl bad_domains_regex dstdom_regex -i "/etc/squid/bad_domains_regex"
http_access deny !bad_exception_urls bad_domains_regex
deny_info ERR_BLOCK_DST bad_domains_regex

acl bad_urls url_regex -i "/etc/squid/bad_urls"
http_access deny !bad_exception_urls bad_urls
deny_info ERR_BLOCK_DST bad_urls

acl bad_files urlpath_regex -i "/etc/squid/bad_files"
http_access deny !bad_exception_urls bad_files
deny_info ERR_BLOCK_TYPE bad_files

http_access allow Safe_ports
http_access allow SSL_ports
http_access deny !kerb-auth
http_access allow kerb-auth
http_access deny all



-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Matus UHLAR - fantomas
Sent: Tuesday, November 12, 2024 10:30 AM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Access Log Question

Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.


On 12.11.24 15:22, Piana, Josh wrote:
>I seem to be able to generate tickets by checking klist, and using kinit to authenticate my username with AD. But it looks like the proxy is ignoring it. This could explain why all my proxy_auth ACL's stopped working too.
>
>
>Here's my authentication settings:
>auth_param negotiate children 10
>auth_param negotiate keep_alive on
>auth_param basic credentialsttl 2 hours auth_param basic realm 
><redacted> Proxy Server
>
>acl kerb-auth proxy_auth REQUIRED
>
>The bottom of my ACL Rules looks like this:
>http_access deny !kerb-auth
>http_access allow kerb-auth
>http_access deny all

The bottom? Are there any ACL rules that allow clients' access before this?
Because ACL rules are processed in the order they are specified.

>-----Original Message-----
>From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf 
>Of Matus UHLAR - fantomas
>Sent: Tuesday, November 12, 2024 10:19 AM
>To: squid-users at lists.squid-cache.org
>Subject: Re: [squid-users] Access Log Question
>
>Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
>On 12.11.24 15:16, Piana, Josh wrote:
>>Seems like it.
>>
>>Example:
>>
>>12/Nov/2024:09:51:37 -0500.396 10.46.49.135 TCP_TUNNEL/200 23735 
>>CONNECT
>>http://www.s/
>>a%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7C781d9733572443bebebd08dd
>>032ef2d6%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C6386702223804901
>>51%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCI
>>sIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=J
>>D5bPnmHAzYiBf0GEibkaOIItE5n7G5wQaTzYent9K4%3D&reserved=0
>>fgard.com%3A443%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7C1dd5a668cf
>>f
>>64041506f08dd032d47f6%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C638
>>6 
>>70215221064884%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiI
>>w 
>>LjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C
>>%
>>7C&sdata=gmzUs90%2Bccg4xxW8WHB2R4Tyb66r1tfKPdsQL2mHmUE%3D&reserved=0 - 
>>\ HIER_DIRECT/206.188.0.52 - -/-
>
>yes, this looks like the username is not known to squid, thus probably bypassed authentication.
>what type of proxy authentication you use?
>
>>-----Original Message-----
>>From: squid-users <squid-users-bounces at lists.squid-cache.org> On 
>>Behalf Of Matus UHLAR - fantomas
>>Sent: Tuesday, November 12, 2024 10:10 AM
>>To: squid-users at lists.squid-cache.org
>>Subject: Re: [squid-users] Access Log Question
>>
>>Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>
>>
>>On 12.11.24 14:56, Piana, Josh wrote:
>>> At some point, the access log has stopped recording which users are 
>>> trying to access which sites.
>>>
>>> I'm currently thinking is could be an issue with log format, Squid 
>>> not being able to receive the header information, or authentication 
>>> is being bypassed completely due to our config, for some reason.
>>
>>what is it logging? doest is log "-" instead of usernames?
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar] _______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list