Search squid archive

Re: acl problem (Amos Jeffries)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/09/17 00:44, Alex Gutiérrez Martínez wrote:
Thanks for answering Mr. Jeffries, I just applied his recommendations, I changed the "allow basic_ldap_auth" rule to "deny! Basic_ldap_auth",

Good.

I also left the acl names denied and removed their respective "acl deny rule" and the rule "http_access deny I left it on the last line.

Hmm. I assume you are referring to the commenting out of the needless denies I mentioned. That looks okay now.

Although I did not give problems the "squid3 -k parse". But the link to the ldap suddenly stopped working, searching at "http://www.squid-cache.org/Doc/config/"; I saw that I had to change the parameter "external_acl_type Group" to "external_acl_type ldap_group" .

No, you can use any name you like for that parameter.

The first parameter of the external_acl_type directive is just a custom name / label to refer to that particular external helper in the acl lines later.

For example:

 external_acl_type foo ...

 acl ... external foo ...


The Ldap user password has not change and there are other applications that are using the ldap correctly at this time, any sugestions?


I see you also changed the rules giving permission for 'full' group to access the proxy. That change broke a few things.


Here is a copy of my current configuration file


#Escondemos la version del squid
httpd_suppress_version_string on
#nombre que queremos que muestre el squid como nuestro host
visible_hostname Hermes
#no permitimos que nada pase por nuestro proxy
via off
forwarded_for off
follow_x_forwarded_for deny all
#puertos que permitiremos
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow localhost manager
http_access deny manager

You have another set of rules at the bottom of the config for manager access. These rules let sqstat etc through without logging in, the ones at the bottom require login.

If you need sqstat etc to login, then remove these manger lines.

If you need sqstat etc to get through without login. Then:
 * remove the above lines, and
* move the sqstat rules from the bottom of the config up to just below the CONNECT rule below here.

# Permitimos los puertos inseguros
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports

The above rules are supposed to be _preventing_ hacking attacks through your proxy. The default lines were very carefully designed to add that protection without overriding your local policies. The change to make the above use "allow" lets anybody through the proxy without any control (ouch).

Please return that to the default:
 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports


Your rules for 'manger' ACL should go somewhere after these rules. (That Best Practice has changed recently, so the 3.3 default config does not do it right.)


debug_options ALL,9
########################################################
#auth ldap#
########################################################
auth_param basic program /usr/lib/squid3/basic_ldap_auth -P  -R -b "dc=empresa,dc=cuba,dc=cu" -D cn=ldap,ou=squid,dc=empresa,dc=cuba,dc=cu -W /etc/squid3/clave.txt -f sAMAccountName=%s -v 3 -s sub -h 172.16.4.10 external_acl_type Group %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -b "dc=empresa,dc=cuba,dc=cu" -D cn=cn=ldap,ou=squid,dc=empresa,dc=cuba,dc=cu -W /etc/squid3/clave.txt -f "(&(objectclass=user)(sAMAccountName=%u) (memberof=cn=%g,dc=empresa,dc=cuba,dc=cu))" -h 172.16.4.10

Is there actually a space in the middle of that -f parameter string?
I'm not very familiar with LDAP syntax, but the other configs I have seen using it do not have a space there.

NP: If it helps Squid understands line wrapping in squid.conf. Just add a '\' as the last character and some whitespace at the beginning of the next line. That can help avoid email wrap problems.


#######################################################
#auth que no funcionan y deben arreglarse
##########################################################
auth_param basic children 10
auth_param basic realm hermes.empresa.cuba.cu
auth_param basic credentialsttl 2 hour
acl basic_ldap_auth proxy_auth REQUIRED

http_access deny !basic_ldap_auth
#http_access deny all
########################################################
#restricciones selectivas#
########################################################
acl dmz src 172.16.4.0/27
acl navegacion src 192.168.9.0/24
acl full external Group InternetFull
acl limitado external Group InternetLimitado
acl sociales dstdomain -n "/etc/squid3/bloqueo/sociales"
acl extensiones urlpath_regex -i "/etc/squid3/bloqueo/listaextensiones"
http_access deny !full sociales
http_access deny !full !limitado navegacion
http_access deny !full dmz


These extra changes are adding some new problems.

Earlier you had some allow lines to let the 'full' group use the proxy. They were okay [assuming that was what you wanted], only the way they interacted with the login ACL was broken.

You do need some allow lines to tell Squid what to allow for logged in users. The order you need for best use of authentication is this:

 # rules for things that do not require authentication
 http_access allow/deny ...

 # require authentication to happen
 http_access deny !login

 # rules for authenticated users
 http_access allow/deny ...

 # prevent any other / unexpected access of the proxy
 http_access deny all


It may help if you write out your policy in human language statements. Being as simple as you can. Each statement will then usually be an http_access line and you can shuffle the order around until the config file 'reads' correctly to both you/us and Squid.

Note: if you find yourself writing 'except' or 'unless' that means there are probably going to be multiple http_access lines to match your policy statement, with the exception ones being ordered first.


For example reading your current rules:

> http_access deny !full sociales

* "everyone not in group full are denied access to sociales domains"

> http_access deny !full !limitado navegacion

* "everyone not in group full and not in group limitado and on a navegacion machine are denied"

-> see how this is very clumsy to write in human language. That probably means a mistake and things could be simpler.

> http_access deny !full dmz

* "everyone not in group full and coming from dmz are denied"


It is usually better to design in a way that avoids so many '!' / not statements. That is both easier for us humans to read and understand, and usually faster for Squid to process - especially when it has to pause the transaction and wait for a helper response on each ACL test.

eg. from what you have mentioned so far I think you want to end up with something like this:

 # ... some rules for anything 'full' group are denied ?

 # otherwise, 'full' group are allowed though unrestricted
 http_access allow full

 # ... things denied to everyone outside the 'full' group
 http_access deny dmz
 http_access deny sociales

 # ... navegacion are allowed if their user is in 'limitado' group
 #     (except to 'sociales' domains)
 http_access allow navegacion limitado

 # no more things are allowed
 http_access deny all



########################################################
#restricciones obligadas#
########################################################
#acl blacklist url_regex -i "/etc/squid3/listanegra"
#http_access deny blacklist
acl bl7 dstdomain -n "/etc/squid3/bloqueo/correos"
#http_access allow full !limitado bl7
acl bl1 url_regex -i "/etc/squid3/bloqueo/porno"
#http_access deny bl1
acl bl2 url_regex -i "/etc/squid3/bloqueo/android"
#http_access deny bl2
acl bl3 url_regex -i "/etc/squid3/bloqueo/prox1"
#http_access deny bl3
acl bl4 url_regex -i "/etc/squid3/bloqueo/prox2"
#http_access deny bl4
acl bl5 url_regex -i "/etc/squid3/bloqueo/prox3"
#http_access deny bl5
acl bl6 url_regex -i "/etc/squid3/bloqueo/prox4"
#http_access deny bl6
#acl ladmin src "/etc/squid3/ladmin"


#########################################################################
#proxy_padre #
#########################################################################
cache_peer 172.16.1.24 parent 8000 0
#nunca permitimos conexiones directas, siempre a traves del proxy
never_direct allow all
#######################################################################
# puerto en que el proxy nos escuchara
http_port 3128
###############################################################################
maximum_object_size 100 MB
cache_dir aufs /var/cache/squid3 1024000 16 256
cache_mem 128 MB
cache_store_log /var/cache/squid3/cache_store.log
coredump_dir /var/cache/squid3/dump
#minimum_expiry_time 600 seconds
############################
client_db off
offline_mode off
cache_swap_low 5
cache_swap_high 10
cache_replacement_policy heap GDSF
maximum_object_size_in_memory 256 KB
chunked_request_body_max_size 4096 KB
half_closed_clients off
quick_abort_min 2 KB
############################
# establecemos los archivos de volcado en /var/cache/squid3/
coredump_dir /var/cache/squid3/
###############################################################################
#Establecemos los patrones de refrescamiento de la cache #
#patron de refrescamiento -- tipo de archivo -- tiempo del objeto -- %de refrescamiento -- tiempo #
#1440 minutos equivalen a 24 horas #
###############################################################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i .(gif|png|jpg|jpeg|ico)$ 10080 20% 43200 override-expire ignore-no-store ignore-private refresh_pattern -i .(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 20% 432000 override-expire ignore-no-store ignore-private
#refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
max_filedescriptors 3200
##cuanto el squid intenta cachear en mi nombre
read_ahead_gap 256 KB
#################
#sqstat
#################
#acl manager proto cache_object
# replace 10.0.0.1 with your webserver IP
acl webserver src 172.16.4.25/27
http_access allow manager webserver
http_access allow localhost manager
http_access deny manager
###############################################################################
#Delay#
###############################################################################
client_delay_initial_bucket_level 60
delay_initial_bucket_level 75
delay_pools 2
memory_pools off

#Canal 1 extensiones.
delay_class 1 2
delay_parameters 1 16384/32768 8192/16384
delay_access 1 allow sociales extensiones
delay_access 1 deny all

#Canal 2 para usuarios.
delay_class 2 2
delay_parameters 2 65536/65536 32768/32768
delay_access 2 allow navegacion
delay_access 2 deny all
http_access deny all
#end of line
####################################################################################




PD: Please forgive my english, it's no my native language.

--
Saludos Cordiales

Lic. Alex Gutiérrez Martínez

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux