On 10/06/20 9:26 pm, Amiq Nahas wrote: > Hi Guys, > > I am trying to configure squid so as to have user proxy > authentication, below is how my squid.conf file looks like: > > ----- > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost manager > http_access deny manager > http_access allow localhost > http_access deny all > http_port 3128 > coredump_dir /var/spool/squid > > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 > refresh_pattern . 0 20% 4320 > ----- > > The above lines were default in squid.conf file. > > I have added below lines: > *Where* did you add them? order is important. > ----- > icap_enable on > icap_send_client_ip on > icap_send_client_username on > icap_client_username_header X-Authenticated-User > icap_preview_enable on > icap_preview_size 1024 > > icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/echo > adaptation_access service_req allow all > > icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/echo > adaptation_access service_resp allow all > > acl ncsa src 0.0.0.0/0.0.0.0 Don't do that. Use "all" to match any IP address. If you want to match IPv4-only clients there is a special value "ipv4" which is used like so: acl ipv4_only src ipv4 Be careful with these type of control. Different access behaviours for IPv4 and IPv6 is how security bypass issues are created. > auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd > auth_param basic realm proxy > acl ncsa proxy_auth REQUIRED "ncsa" was already defined as a IP address matching ACL. > http access allow ncsa This will only allow clients who are already trying to send credentials. It will not inform clients that they need to and no sane client will broadcast its credential secrets unless it has to. To have HTTP auth work in the usual way it is best to *deny* non-authenticated traffic and allow based on any other criteria you have. Like so: http_access deny !ncsa http_access allow localnet or http_access deny !ncsa http_access allow ncsa Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users