On 30/08/17 03:12, Alex Gutiérrez Martínez wrote:
Hello community, I just installed squid 3.3.8 on ubuntu 14.04. The use
of this software is only providing the Internet to my users. But
something is wrong with my setup. I must clarify that I use as an
authentication system the Ldap plug-in that comes with squid.
The problem is that some acl, although apparently well written, are not
working the way I expect. Specifically those blocking social sites and
prohibited sites.
Ah, there are no rules blocking social and advertising sites.
You have some rules *allowing* access to various groups, then some
blanket denial of everything else.
The problem is actually your allow rule not doing what you seem to
expect of them. Specifically the first one.
...
acl basic_ldap_auth proxy_auth REQUIRED
http_access allow basic_ldap_auth
Anyone who can login is allowed to use this proxy. End of story for
authenticated users.
Note that the "REQUIRED" value in the ACL does not mean proxy access
requires credentials. It means that the ACL will non-match unless a
valid login is given. The "allow" action in turn then means a non-match
simply skips that line.
Anyone who sends invalid credentials to the proxy _will_ fly straight
past this first access control without being challenged, anyone lacking
credentials entirely *might* be challenged to supply some depending on
what ACL types your later rules use.
Overall "allow" is a very unreliable way to do authentication security.
Instead you should start with denying clients who cannot supply valid
logins. Like so:
http_access deny !basic_ldap_auth
... then do the group checks etc which rely on those credentials.
#http_access deny all
########################################################
#restricciones selectivas#
########################################################
acl dmz src 172.16.4.0/27
acl navegacion src 192.168.9.0/24
acl full external Group InternetFull
acl limitado external Group InternetLimitado
acl sociales dstdomain -n "/etc/squid3/bloqueo/sociales"
acl extensiones urlpath_regex -i "/etc/squid3/bloqueo/listaextensiones"
... but no valid credentials means no group. These cannot match right
now and so get skipped.
While it may have appeared that these allow lines were working, it was
in fact the earlier "allow basic_ldap_auth" line letting users in the
group "full" (and any other group) through.
http_access allow full sociales
http_access allow full limitado navegacion
http_access allow full dmz
########################################################
#restricciones obligadas#
########################################################
#acl blacklist url_regex -i "/etc/squid3/listanegra"
#http_access deny blacklist
acl bl7 dstdomain -n "/etc/squid3/bloqueo/correos"
http_access allow full !limitado bl7
Here you have a bunch of stuff being denied based on group. BUT, the
last thing is "deny all" with no possibility of allow from here on down.
So all these slow checking group and regex ACLs are pretty pointless,
even if the group checks could work with invalid logins.
If any request reaches this spot of the access list it is going to be
denied. So "deny all" is sufficient, no need to do all the following
complex stuff first.
acl bl1 url_regex -i "/etc/squid3/bloqueo/porno"
http_access deny bl1
acl bl2 url_regex -i "/etc/squid3/bloqueo/android"
http_access deny bl2
acl bl3 url_regex -i "/etc/squid3/bloqueo/prox1"
http_access deny bl3
acl bl4 url_regex -i "/etc/squid3/bloqueo/prox2"
http_access deny bl4
acl bl5 url_regex -i "/etc/squid3/bloqueo/prox3"
http_access deny bl5
acl bl6 url_regex -i "/etc/squid3/bloqueo/prox4"
http_access deny bl6
#acl ladmin src "/etc/squid3/ladmin"
http_access deny all
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
