On 7/9/20 6:50 PM, Amos Jeffries wrote:
On 10/07/20 9:54 am, Orion Poplawski wrote:Hello - We're using a setup like this: client -> e2guardian -> squid -> internet e2guardian is providing filtering and SSL inspection. Currently we only allow access to e2guardian from our internal network. Currently we enforce access to squid come from localhost, except for some specific sites which do not work with SSL inspection. Then we allow: client -> squid -> internet this is based on the (non-forwarded) client IP. We would like to open up access to e2g from the internet but require authentication in that case.Okay.This would require the use of forwarded IPs so the squid could distinguish between them (e2g does not do auth directly - it lets squid handle that). But then this breaks our config above because we no longer can distinguish between connections from e2g and direct ones.How do you come to that conclusion?
I don't know how to distinguish between connections that go through e2g and connections that do not. Currently anything with a client IP of localhost has gone through e2g. Anything with a different client IP has not. If I use the X-Forwarded-As IP to distinguish between internal and external (for auth purposes) I no longer know how to distinguish between forwarded connections and non-forwarded connections. Is there a forwarded flag that can be used as an acl? I couldn't see anything in the acl docs.
What is your Squid version?
3.5.20 (EL7), though I may be able to update 4.4 (EL8).
What is your current squid.conf contents?
This part of our ansible template. Essentially we have a list of hosts in "Allowed_SSL_Hosts" and "Allowed_HTTP_Hosts: that we allow any client to connect directly through squid to (via HTTPS/HTTP respectively).
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443
acl SSL_Ports port 563 # smtps
acl SSL_Ports port 5228 # mtalk.google.com
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
acl Allowed_SSL_Hosts ssl::server_name {{ ansible_nodename }}
# We can't MITM these, but allow them through the proxy
{% for domain in allowed_ssl_hosts %}
acl Allowed_SSL_Hosts ssl::server_name {{ domain }}
{% endfor %}
# Some hosts present problems for e2guardian for unknown reasons
{% for domain in allowed_http_hosts %}
acl Allowed_HTTP_Hosts dstdomain {{ domain }}
{% endfor %}
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# macOS Catalina is using CONNECT to gs.apple.com:80
http_access allow localnet Allowed_HTTP_Hosts
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost
# All traffic should be coming via e2guardian on localhost
http_access allow localhost
# Allow certain sites to be connected to directly
http_access allow CONNECT localnet Allowed_SSL_Hosts
# Allow some users/applications to connect from outside
auth_param digest realm "NWRA Proxy"
auth_param digest program /usr/lib64/squid/digest_file_auth
/etc/squid/passwd
# freshclam only supports basic auth -
https://bugzilla.clamav.net/show_bug.cgi?id=12468
auth_param basic realm "NWRA Proxy"auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/htpasswd
acl authenticated_users proxy_auth REQUIRED http_access allow CONNECT authenticated_users Allowed_SSL_Hosts # freshclam 0.101.5 uses HTTP http_access allow authenticated_users Allowed_HTTP_Hosts # And finally deny all other access to this proxy http_access deny all Thank you, Orion -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@xxxxxxxx Boulder, CO 80301 https://www.nwra.com/
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
