Search squid archive

Re: Strange problem with ACL and CONNECT method

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dmitrijs Demidovs wrote:
Hi list.

I have a strange problem with ACLs and http_access rules.
Our squid are using winbind for NTLM auth. We need to achieve user's auth for https.

Here is a example that makes problems for us:
=============
1) http_access allow CONNECT HTTPS_DOMAINS_BLACKLIST WebVIP
2) http_access allow CONNECT Webusers_whitelist_domains Webusers

3) http_access allow localnetwork CONNECT SSL_ports

4) http_access allow CONNECT WebVIP
5) http_access allow CONNECT Webusers
=============

- WebVIP - users group from AD
- Webusers - users group from AD
- HTTPS_DOMAINS_BLACKLIST - black list for bad addresses - Webusers_whitelist_domains - white list for Webusers


First two lines works as expected - only users from WebVIP and Webusers can access
https sites from black/white lists. We can see they user ID's in squid's access.log.

They don't code those policy statement though. To describe the first two lines accurately remove the word "only" from your statement. Since for users NOT in those two groups Squid will simply skip past those lines and check the next one.


If I put last tree lines (4-5) before 3 then I got 407 errors in access.log, and no one is able to use https anymore. So there is a problem! That is why we

Oh? I take it your localnetwork users don't have logins at all then? Thats all 407 means.

need to use line Nr 3 - it just allows all CONNECT from our IP subnet without auth.

I'm completely lost and frustrated. Why first two lines works and last two do not?

Are the WebVIP or Webusers blocked when trying to get to a site not black/white-listed? That is the only possible "not working" lines (4) and (5) have.

Lines (1) and (2) will also request login details (407) from a localnetwork user if they attempt to contact a black/white-listed site.

Is there any hint?

Squid processes lines top-down. First to match wins. Your lines only say allow. Never deny. So people who are not allowed to do one thing will be tested for permission to do the next etc, etc.


They way I'd write those rules is this:

    # stop them nasty ones getting unlimited bypass from security.
 0) http_access deny CONNECT !SSL_ports

    # "only users from WebVIP ... can access blackwhite listed sites"
    # implies: nobody else is allowed to.
 1) http_access deny CONNECT HTTPS_DOMAINS_BLACKLIST !WebVIP
 2) http_access deny CONNECT Webusers_whitelist_domains !Webusers

   # local network users don't have any authentication credentials.
 3) http_access allow localnetwork CONNECT

   # people who can enter WebVIP and Webuser credentials have wide access.
 4) http_access allow CONNECT WebVIP
 5) http_access allow CONNECT Webusers

 5b) http_access deny CONNECT


And may be some one knows - is there any third party tools to make squid.conf
analyzing for logical errors? As more as I'm using Squid, as more I want to find some
tool what will be able to catch logical errors according to squid's design.
Any hint please?


There was one made a year or so ago. I forget how to find it though. Maybe a post in the mailing list archives about a validator (NP: the one I wrote way back is dead now).

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.7
  Beta testers wanted for 3.2.0.1


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux