On Tue, 27 Apr 2010 15:34:00 +0100, Nick Cairncross
<Nick.Cairncross@xxxxxxxxxxxxxxx> wrote:
> Hi,
>
> I wondered whether I could have an eyeball on my squid.conf. It's very
> basic regarding access rules as there is a proxy filter further up chain
-
> also I'm not caching. The main purpose is to ensure that where not
> explicitly allowed via ACL all traffic passes through the squid proxy
and
> heads upstream. I also block on direct HTTP/S access from a client; only
> the proxy has access out. How does it look, I welcome any suggestions,
> inclusions or (importantly) glaring errors or omissions! Obviously, I
> appreciate there is a lot that one might allow like blocking Yahoo
> Messenger but I guess I'm after glaring errors!
>
> Thanks in advance,
>
> Nick
>
> ======
>
> http_port proxy1:8080
>
> auth_param negotiate program /usr/lib/squid/squid_kerb_auth -r
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 40
>
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
> cache_peer [upstreamproxy] parent 8080 0 no-query proxy-only no-digest
> default
>
> cache_mgr helpdesk@xxxxxxxxxxxx
> visible_hostname proxy1.{fqdn}
>
> ######### ICAP SERVER #########
> icap_enable on
> icap_preview_enable on
> icap_persistent_connections on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_header X-Authenticated-User
> icap_client_username_encode on
> icap_service ss reqmod_precache 0 icap://localhost/ssreqmod
> icap_class c1 ss
> icap_access c1 allow all
> ###### LOGGING OPTIONS ########
> ## LOGGING SWITCHES
> log_fqdn on
> ## LOG LOCATIONS
> access_log /var/log/squid/access.log squid
> cache_log /var/log/squid/cache.log squid
> useragent_log /var/log/squid/useragent.log squid
The "squid" format name on cache_log and useragent_log is invalid. Those
directives do not have controllable format.
>
> ###### Delay Pool Definitions #######
> # Total number of delay pools
> delay_pools 1
>
> #### ACCESS CONTROL LISTS #####
>
> ## USER-AGENT (Browser-type) ACLs
> acl Java_jvm browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_JAVA.txt"
> acl iTunes browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_APPLE.txt"
> acl MSNMessenger browser "/etc/squid/ACL/USERAGENTS/USER-AGENTS_MSN.txt"
>
> ## USER AUTHENTICATION ACLs
> acl AuthenticatedUsers proxy_auth REQUIRED
>
> ## LAN IP ACLs
> acl 172SUBNETS src 172.16.0.0/255.255.0.0
> acl SERVERSUBNETS src 172.16.10.0/255.255.255.0
>
> # Blocks CONNECT method to IP addresses (Blocks Skype amongst other
things)
> acl StopDirectIP url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
>
> ## SEND DIRECT ACLs
> acl SENDDIRECT_DstDomains dstdomain
> "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_DSTDOMAINS.txt"
> acl SENDDIRECT_IPAddresses src
> "/etc/squid/ACL/SENDDIRECT/SENDDIRECT_IPADDRESSES.txt"
>
> # CONNECT Method Direct IP ACLs
> acl IP_CONNECTALLOW src "/etc/squid/ACL/IPADDRESSES/IP_CONNECTALLOW.txt"
>
> ## LOCALHOST ACLs
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
>
> ## QUERY ACLs
> acl QUERY urlpath_regex cgi-bin \?
> acl apache rep_header Server ^Apache
Both of the above ACL definitions are never used. you can drop them.
>
> ## PORTS ACLs
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 8080 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl RTMP_ports port 1935 # RTMP
>
> # CONNECTION METHOD ACL
> acl CONNECT method CONNECT
> acl POST method POST
>
> ###### ACCESS RULES #####
> ## GLOBAL DENY RULES - Do NOT include User Authentication ACLs here
> http_access deny StopDirectIP !IP_CONNECTALLOW
> http_access deny MSNMessenger 172SUBNETS
Stick the subnet test first on all the two above lines. Your CPU will love
you for it.
>
> http_access allow POST 172SUBNETS
> http_access allow CONNECT 172SUBNETS
Do you have a special reason for changing the default " deny CONNECT
!SSL_Ports" to unlimited open proxy access to 172/8 and anyone else with
login credentials?
IMO you should probably have the above as either:
deny CONNECT !SSL_Ports !172SUBNETS
allow CONNECT 172SUBNETS
(deny CONNECT unless its someone in 172SUBNETS doing HTTPS)
>
> # USER AGENTS ALLOW #
> http_access allow iTunes 172SUBNETS
> http_access allow Java_jvm 172SUBNETS
>
These above two lines as well.
> ## USERS AUTHENTICATION##
> http_access allow AuthenticatedUsers
> http_reply_access allow AuthenticatedUsers
>
Above http-reply_access is probably going to cause you trouble. There are
a number of rule above which let requests go out without authentication.
Accepting the reply _then_ asking for authentication is very bad.
> ## SEND DIRECT ALLOW
> always_direct allow SENDDIRECT_DstDomains
> always_direct allow SENDDIRECT_IPAddresses
>
> ## LOCAL HOST ALLOW ##
> http_access allow localhost
>
> ###### DELAY ACCESS RULES ######
> # First delay class pool is User allocated
> delay_class 1 4
>
> # First delay class pool is limited to 4mb i.e. all users not in
> exceptions: SERVERSUBNETS
> delay_parameters 1 -1/-1 -1/-1 -1/-1 4000000/4000000
>
> #First delay pool applied to Authenticated users except those in Server
> Subnet
> delay_access 1 allow AuthenticatedUsers !SERVERSUBNETS
> delay_access 1 deny all
>
> ###### DENY ######
> always_direct deny all
> never_direct allow all
> snmp_access deny all
> cache deny all
> http_access deny all
>
Amos
