Search squid archive

Re: Squid with MySQL auth not denying pages with

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 27/04/17 00:04, prashantbhosale wrote:
I am setting up simple squid server for denying URL's. Below is my squid
config, URL's are getting blocked and TCP_DENIED/403 seen in access.log
file.
But not showing error message/page shown in browser.

Another main task that I want to do is Squid authentication with MySQL.
Followed the instructions provided on
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Mysql#Squid_Installation
Auth is working. But one problem is now the denied log is with
TCP_DENIED/407 instead of TCP_DENIED/403
and no user is specified in log.

This usually means the browser did not send any credentials at all to Squid. The 407 is Squid telling the browser it needs to login.

1493126753.944      0 x.x.x.x TCP_DENIED/407 4510 GET
http://tg.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRVuMwyhZnBGWkFKlkeoNe9zdlbSwQUK5o1rgEYODDhcHoF4BF2o869kBQCED3fM9dlZGIkaXhmllPjYgM%3D
- HIER_NONE/- text/html
Below is config with MySQL auth:
ubuntu@proxy:~$ cat /etc/squid/squid.conf
auth_param basic program /usr/lib/squid3/basic_db_auth --user root
--password pass@123 --plaintext  --persist

Okay ... assuming the defaults: your database name is 'squid', table name is 'passwd', and has an 'enabled' column containing '1' for the user account being tested.

If not then the 407 is authentication will fail due to the SQL query not returning any useful credentials to compare with those given by the browser(if any).

...
#acl db-auth proxy_auth REQUIRED
#http_access allow db-auth

The above (when uncommented) will only allow authenticated users. Any clients sending bad credentials will just skip to the next lines... eventually reaching that "allow all". So much for requiring login.

Better security practice is to perform checks that do not require login, then:
  http_access deny !db-login

then to do any allow/deny things for authenticated users.

acl addomain dstdomain "/etc/squid/addomains.acl"
http_access deny addomain

acl easyprivacy-regex url_regex -i "/etc/squid/easyprivacy.txt"
acl easylist-regex url_regex -i "/etc/squid/easylist.txt"
http_access deny easylist-regex
http_access deny easyprivacy-regex

http_access allow all

Any http_access lines following this "allow all" are unreachable and pointless.

http_access allow localhost

http_port 3128



Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux