Search squid archive

Re: Squid ACL, SSL-BUMP and authentication questions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

 

Sorry for my poor English. I think maybe I have figure out how to do this. Seems I need to explicitly specific allow “google” for “my_auth” users.

 

Add this:

http_access     allow   google                 my_auth

before

http_access     allow   my_auth                all

 

auth_param basic children 5

auth_param basic realm Welcome to Our Website!

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_user

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

 

acl my_auth proxy_auth REQUIRED

 

acl SSL_ports port 443

acl Safe_ports port 443         # https

acl CONNECT method CONNECT

 

acl     GoogleMaps           url_regex -i    ^https://www.google.com/maps*.

acl     test_net                 src             192.168.1.253/32

acl     google                    dstdomain    www.google.com

http_access deny CONNECT !SSL_ports

 

http_access     allow                           GoogleMaps

 

http_access     allow   CONNECT                 google

http_access     deny    CONNECT                 google                 my_auth

#http_access    allow   CONNECT                 test_net                 google

 

http_access     allow   google                 my_auth

http_access     allow   my_auth                all

 

http_access     deny                            all

 

 

From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of squid-list
Sent: Friday, November 07, 2014 3:36 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Squid ACL, SSL-BUMP and authentication questions

 

Hi,

"Access to google maps(https://www.google.com/maps) should prevent any authentication need"


I could understand that all users should be able to access the google maps link without any authentication. For this you could add the site acl before the authentication part in the squid conf. So that users will not prompt for the authentication when the user try to access the google map site. But when they try to access any other site authentication will be prompted.

(i.e)
        acl     GoogleMaps           url_regex -i    ^https://www.google.com/maps*.
        acl allow GoogleMaps all

        auth_param basic children 5

        auth_param basic realm Welcome to Our Website!

        auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_user

        auth_param basic credentialsttl 2 hours

        auth_param basic casesensitive off   

        ....
        ....

I am not clear about the remaining part of the content.

Regards,
ViSolve Squid

On 11/07/2014 08:55 AM, squid@xxxxxxxxx wrote:

Hello all,

 

As our company policy only allow some machines to access to some SSL website URL(eg. https://www.google.com/maps). However, they do not have access to https://www.google.com/ Before, we tried to implement authentication, everything works fine. We try to allow https access to https://www.google.com/maps and “CONNECT” request to www.google.com using SSL bump. Now, I want to preserve this config, and let user to authenicate to access to any website. Access to google maps(https://www.google.com/maps) should prevent any authentication need. However, I am not success to figure this out. I have tried different kinds of configuration, some will prompt for authentication. Some will not allow the authenticated users to access to https://www.google.com. From the access log, after I authenticate and try to access to https://www.google.com, the authentication information is not displayed. Seems squid do not use the authentication information when matching the this rule: “http_access     allow   CONNECT                 google”.

The “CONNECT” method is success. Then, the squid will continue use no authentication information to process the “GET” command, causing the authenticated user to denied access to https://www.google.com.

Can I make squid always use the authentication information if already authenticate ? Or any suggestion to implement this policy.

Thanks.

 

Here is an extracted version of config which should state the related configuration:

 

auth_param basic children 5

auth_param basic realm Welcome to Our Website!

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_user

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

 

acl my_auth proxy_auth REQUIRED

 

acl SSL_ports port 443

acl Safe_ports port 443         # https

acl CONNECT method CONNECT

 

acl     GoogleMaps           url_regex -i    ^https://www.google.com/maps*.

acl     test_net                 src             192.168.1.253/32

acl     google                    dstdomain    www.google.com

http_access deny CONNECT !SSL_ports

 

http_access     allow                           GoogleMaps

 

http_access     allow   CONNECT                 google

http_access     deny    CONNECT                 google                 my_auth

#http_access    allow   CONNECT                 test_net                 google

 

http_access     allow   my_auth                all

 

http_access     deny                            all

 



_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux