On Wed, Jun 10, 2020 at 8:07 PM Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > > On 10/06/20 9:26 pm, Amiq Nahas wrote: > > Hi Guys, > > > > I am trying to configure squid so as to have user proxy > > authentication, below is how my squid.conf file looks like: > > > > ----- > > acl SSL_ports port 443 > > acl Safe_ports port 80 # http > > acl Safe_ports port 21 # ftp > > acl Safe_ports port 443 # https > > acl Safe_ports port 70 # gopher > > acl Safe_ports port 210 # wais > > acl Safe_ports port 1025-65535 # unregistered ports > > acl Safe_ports port 280 # http-mgmt > > acl Safe_ports port 488 # gss-http > > acl Safe_ports port 591 # filemaker > > acl Safe_ports port 777 # multiling http > > acl CONNECT method CONNECT > > > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > http_access allow localhost manager > > http_access deny manager > > http_access allow localhost > > http_access deny all > > http_port 3128 > > coredump_dir /var/spool/squid > > > > refresh_pattern ^ftp: 1440 20% 10080 > > refresh_pattern ^gopher: 1440 0% 1440 > > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > > refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 > > refresh_pattern . 0 20% 4320 > > ----- > > > > The above lines were default in squid.conf file. > > > > I have added below lines: > > > > *Where* did you add them? order is important. I have added the below lines exactly in this order at the end of the file squid.conf. > > ----- > > icap_enable on > > icap_send_client_ip on > > icap_send_client_username on > > icap_client_username_header X-Authenticated-User > > icap_preview_enable on > > icap_preview_size 1024 > > > > icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/echo > > adaptation_access service_req allow all > > > > icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/echo > > adaptation_access service_resp allow all > > > > acl ncsa src 0.0.0.0/0.0.0.0 > > Don't do that. Use "all" to match any IP address. > > If you want to match IPv4-only clients there is a special value "ipv4" > which is used like so: > acl ipv4_only src ipv4 > > Be careful with these type of control. Different access behaviours for > IPv4 and IPv6 is how security bypass issues are created. > > > > > auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd > > auth_param basic realm proxy > > acl ncsa proxy_auth REQUIRED > > "ncsa" was already defined as a IP address matching ACL. > > > > http access allow ncsa > > > This will only allow clients who are already trying to send credentials. > It will not inform clients that they need to and no sane client will > broadcast its credential secrets unless it has to. > > To have HTTP auth work in the usual way it is best to *deny* > non-authenticated traffic and allow based on any other criteria you > have. Like so: > > http_access deny !ncsa > http_access allow localnet > > or > > http_access deny !ncsa > http_access allow ncsa So I changed the configuration according to what you suggested and now I can access the internet. Below is how the configuration now looks like: acl ncsa src all auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd auth_param basic realm proxy acl authenticated proxy_auth REQUIRED http_access allow authenticated ncsa I am able to access the internet now, does this mean that everything worked fine? I am asking because I will be using this proxy authentication setup in c-icap for setting up the url_check service. Also I am not prompted for any password, I am able to access the internet just like that. Is that how it is supposed to work because if I don't need to enter the password before browsing the web what would be the point of it all. Right? or am I missing something here? I have been using this article for reference http://hevi.info/do-it-yourself/install-and-setup-squid3-on-ubuntu-14-04-with-authentication/ Thanks Amiq _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
