On 12/06/20 12:29 am, Amiq Nahas wrote: > On Wed, Jun 10, 2020 at 8:07 PM Amos Jeffries wrote: >> >> On 10/06/20 9:26 pm, Amiq Nahas wrote: >>> Hi Guys, >>> >>> I am trying to configure squid so as to have user proxy >>> authentication, below is how my squid.conf file looks like: >>> >>> ----- >>> acl SSL_ports port 443 >>> acl Safe_ports port 80 # http >>> acl Safe_ports port 21 # ftp >>> acl Safe_ports port 443 # https >>> acl Safe_ports port 70 # gopher >>> acl Safe_ports port 210 # wais >>> acl Safe_ports port 1025-65535 # unregistered ports >>> acl Safe_ports port 280 # http-mgmt >>> acl Safe_ports port 488 # gss-http >>> acl Safe_ports port 591 # filemaker >>> acl Safe_ports port 777 # multiling http >>> acl CONNECT method CONNECT >>> >>> http_access deny !Safe_ports >>> http_access deny CONNECT !SSL_ports >>> http_access allow localhost manager >>> http_access deny manager >>> http_access allow localhost >>> http_access deny all >>> http_port 3128 >>> coredump_dir /var/spool/squid >>> >>> refresh_pattern ^ftp: 1440 20% 10080 >>> refresh_pattern ^gopher: 1440 0% 1440 >>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >>> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 >>> refresh_pattern . 0 20% 4320 >>> ----- >>> >>> The above lines were default in squid.conf file. >>> >>> I have added below lines: >>> >> >> *Where* did you add them? order is important. > > I have added the below lines exactly in this order at the end of the > file squid.conf. > That is the wrong place to be adding the http_access part of your custom config. >>> ----- >>> icap_enable on >>> icap_send_client_ip on >>> icap_send_client_username on >>> icap_client_username_header X-Authenticated-User >>> icap_preview_enable on >>> icap_preview_size 1024 >>> >>> icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/echo >>> adaptation_access service_req allow all >>> >>> icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/echo >>> adaptation_access service_resp allow all >>> >>> acl ncsa src 0.0.0.0/0.0.0.0 >> >> Don't do that. Use "all" to match any IP address. >> >> If you want to match IPv4-only clients there is a special value "ipv4" >> which is used like so: >> acl ipv4_only src ipv4 >> >> Be careful with these type of control. Different access behaviours for >> IPv4 and IPv6 is how security bypass issues are created. >> >> >> >>> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd >>> auth_param basic realm proxy >>> acl ncsa proxy_auth REQUIRED >> >> "ncsa" was already defined as a IP address matching ACL. >> >> >>> http access allow ncsa >> >> >> This will only allow clients who are already trying to send credentials. >> It will not inform clients that they need to and no sane client will >> broadcast its credential secrets unless it has to. >> >> To have HTTP auth work in the usual way it is best to *deny* >> non-authenticated traffic and allow based on any other criteria you >> have. Like so: >> >> http_access deny !ncsa >> http_access allow localnet >> >> or >> >> http_access deny !ncsa >> http_access allow ncsa > > So I changed the configuration according to what you suggested and now > I can access the internet. > Below is how the configuration now looks like: > > acl ncsa src all That is the same as the built-in "all" ACL ... > auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd > auth_param basic realm proxy > acl authenticated proxy_auth REQUIRED > http_access allow authenticated ncsa ... which makes the above line same as: http_access allow authenticated all Which actively *prevents* Squid from requesting credentials from clients. > > I am able to access the internet now, does this mean that everything > worked fine? No. There are many ways to configure Squid to allow traffic through. Most of them do not in any way match your policy. > I am asking because I will be using this proxy > authentication setup in c-icap for setting up the url_check service. > Also I am not prompted for any password, I am able to access the > internet just like that. Is that how it is supposed to work It is what you currently configured to be happening. I wrote earlier that you needed something like this: http_access deny !ncsa http_access allow localnet That needs to be in sequence with the other http_access rules in your config: http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager acl authenticated proxy_auth REQUIRED http_access deny !authenticated http_access allow localhost http_access deny all > because if > I don't need to enter the password before browsing the web what would > be the point of it all. Right? or am I missing something here? You are missing the order http_access rules are applied. > I have been using this article for reference > http://hevi.info/do-it-yourself/install-and-setup-squid3-on-ubuntu-14-04-with-authentication/ > Please notice that while the individual steps of the tutorial itself are correct they omit very important details like where to place the config settings. Like I said at the beginning order is important. And the followup comments are from people with non-working setups or wrong answers. The Squid wiki contains the authoritative information on how to use HTTP authentication in Squid <https://wiki.squid-cache.org/Features/Authentication> Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
