On 24/09/2013 3:17 a.m., Chris Nighswonger wrote:
So what am I missing in the following situation?
Our mail dept uses shiprush.com. The software supplied by shiprush is
not proxy-auth friendly, so I added a
acl ShipRush dstdomain .shiprush.com
and
http_access allow campusnet ShipRush
before my http_access line requiring authentication.
Yet I still see Squid3 requesting auth [1].
What am I doing wrong?
From the sounds of it the auth is happening earlier than you think.
I see two FCAUser ACL tests being done above it for starters.
I've supplied my squid.conf in redacted form [2]. (General comments
welcome as well as those specific to this problem.)
Kind Regards,
Chris
Misc Info:
OS: Ubuntu 10.04.4 LTS
Squid Cache: Version 3.1.6
Looks like time for an upgrade. Both that Squid and Ubuntu are quite old
now.
[1] https://docs.google.com/file/d/0B5GhqVvpzpvjVE5MX2drM21HNW8/edit?usp=sharing
[2] https://docs.google.com/file/d/0B5GhqVvpzpvjWjhQUnc4UDNweUk/edit?usp=sharing
http_port x.x.x.247:3130
http_port 127.0.0.1:3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
The above QUERY details are obsolete. Squid can cache and handle such
requests properly given an update to the refresh_pattern lines (see below).
acl apache rep_header Server ^Apache
cache_mem 12 MB
maximum_object_size 32768 KB
maximum_object_size_in_memory 200 KB
cache_dir aufs /var/spool/squid3 477184 65 256
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log none
cachemgr_passwd ***** all
debug_options ALL,1
auth_param basic program /usr/lib/squid3/squid_ldap_auth -v 3 -b
"ou=People,dc=foo,dc=bar,dc=edu" -D
"cn=admin,ou=People,dc=foo,dc=bar,dc=edu" -P ***** -d ldap.foo.bar.edu
auth_param basic children 30
auth_param basic realm Campus Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
Add this pattern right here:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl masada src x.x.x.247/32
acl campusnet src x.x.x.0/24 192.168.3.0/24
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 334
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 10000
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl PURGE method PURGE
acl FTP proto FTP
acl AuthorizedUsers proxy_auth REQUIRED
acl WindowsUpdate dstdomain download.microsoft.com
ntservicepack.microsoft.com .update.microsoft.com .windowsupdate.com
windowsupdate.microsoft.com wustat.windows.com c.microsoft.com
crl.microsoft.com watson.microsoft.com wpa.one.microsoft.com
genuine.microsoft.com
acl WindowsCRL dstdomain go.microsoft.com sls.microsoft.com
crl.microsoft.com activation.sls.microsoft.com
acl UbuntuUpdate dstdomain .ubuntu.com
acl AdobeUpdate dstdomain .adobe.com
acl IEPhishFilter dstdomain urs.microsoft.com
acl Webmin src x.x.x.247-x.x.x.247/32
acl Zipcode dstdomain dail-a-zip.com
acl USPSShipping dstdomain webtoolsdevprod.usps.com
production.shippingapis.com secure.shippingapis.com
acl ShipRush dstdomain .shiprush.com
acl UnauthAccess dstdomain update.services.openoffice.org .ibackup.com
ding.southwest.com www.ncsecu.org .snapfish.com .viastreaming.net
pearsonassess.com .harcourtassessment.com .linux.ncsu.edu
yui.yahooapis.com .toshibapc.com .verisign.com .uniblue.com
.classicsonline.com .sendtoprint.net .e-sword.com .e-sword.net .hp.com
.strawberryperl.com .cpan.org
acl VOIP_domain dstdomain sipprov.lgdacom.net
acl PressUnauthAccess dstdomain ftp.edwardsbrothers.com
acl FidelityBank dstdomain pob-w.fidelitybanknc.com .infotechalliance.com
acl TurboTax dstdomain .intuit.com
acl Adobe dstdomain get.adobe.com wwwimages.adobe.com
dlmping.adobe.com ftpdownload.adobe.com armdl.adobe.com
fpdownload.adobe.com fpdownload2.macromedia.com
acl AntiVirusAccess dstdomain .symantechliveupdate.com .avast.com
view.atdmt.com .avg.com .grisoft.com .grisoft.cz .trendmicro.com .ca.com
acl SSL_Cert dstdomain .thawte.com
acl Java browser Java/1.4 Java/1.5 Java/1.6
acl Sun dstdomain .sun.com
acl JavaUpdate urlpath_regex -i ^/update
acl JavaRelated dstdomain sjremetrics.java.com
acl Update dstdom_regex -i update
acl Sonic dstdom_regex -i sonic
acl InstallShield dstdom_regex -i installshield
acl ipauthex src x.x.x.111/32 x.x.x.119/32 x.x.x.77/32 x.x.x.45/32
x.x.x.17/32
acl IntranetSites dstdomain .foo.bar.edu
acl GoogleSites dstdomain .google.com
acl iTunes dstdomain .mzstatic.com .itunes.apple.com albert.apple.com
gs.apple.com .gcsp.cddbp.net .phobos.apple.com deimos3.apple.com
acl CertificateServers dstdomain ocsp.entrust.net crl.entrust.net
.public-trust.com crl.globalsign.net
acl VPNnet src x.x.x.x/24
acl FCAUser proxy_auth username
acl FCATimeLimits time 16:00-17:00
forwarded_for truncate
follow_x_forwarded_for allow all
You may as well not have a firewall with that in your config file.
*any* client can forge entries in X-Forwarded-For header. The
"follow_x_forwarded_for allow all" makes squid trust and use *all*
possible IP address values in there.
For example any client sending the header "X-Forwarded-For: 127.0.0.1"
has completely unlimited access through your proxy thank to your first
http_access permission rule...
http_access allow localhost
http_access allow manager localhost
http_access allow manager masada
http_access deny manager
http_access allow localhost PURGE
http_access allow masada PURGE
http_access deny PURGE
http_access allow CONNECT Zipcode campusnet
http_access allow CONNECT Safe_ports campusnet
http_access deny CONNECT !SSL_ports
http_access allow FTP
http_access allow ipauthex
http_access allow VPNnet
http_access allow FCAUser FCATimeLimits
http_access deny FCAUser
Your stated problem... these FCAUser ACLs perform authentication and
exist before the "allow campusnet UnauthAccess" intended auth bypass
rule below.
http_access allow AntiVirusAccess
http_access allow campusnet UnauthAccess
http_access allow campusnet VOIP_domain
http_access allow campusnet USPSShipping
http_access allow campusnet ShipRush
http_access allow campusnet WindowsUpdate
http_access allow campusnet WindowsCRL
http_access allow campusnet UbuntuUpdate
http_access allow campusnet AdobeUpdate
http_access allow campusnet IEPhishFilter
http_access allow campusnet JavaRelated
http_access allow campusnet Sun JavaUpdate
http_access allow campusnet Java
http_access allow campusnet Sonic Update
http_access allow campusnet InstallShield Update
http_access allow campusnet TurboTax
http_access allow campusnet SSL_Cert
http_access allow campusnet Adobe
http_access allow campusnet PressUnauthAccess
http_access allow campusnet IntranetSites
http_access allow campusnet iTunes
http_access allow campusnet CertificateServers
http_access allow campusnet AuthorizedUsers
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr support@xxxxxxx
append_domain .foo.bar.edu
NP: append_domain is not much use without dns_defnames also being set to
"on".
store_avg_object_size 20 KB
coredump_dir /var/spool/squid3
client_persistent_connections on
server_persistent_connections on
persistent_connection_after_error on
visible_hostname masada.foo.bar.edu
negative_ttl 5 minutes
negative_dns_ttl 1 minutes
Amos
