Search squid archive

Re: How te deal with proxy authentication bypass

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you Amos as always.
My current configuration has not changed much, it is as follows:

visible_hostname s-px4.mydomain.local
http_port 3128
error_directory /opt/squid-503/share/errors/es-ar
forwarded_for transparent
shutdown_lifetime 0 seconds
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
read_timeout 5 minutes
request_timeout 3 minutes
cache_mem 1024 MB
maximum_object_size_in_memory 4 MB
memory_cache_mode always
ipcache_size 2048
fqdncache_size 4096
cache_mgr support@mydomain.local
httpd_suppress_version_string on
coredump_dir /opt/squid-503/var/cache/squid

auth_param negotiate program /opt/squid-503/libexec/negotiate_kerberos_auth -i -r -s GSS_C_NO_NAME
auth_param negotiate children 300 startup=150 idle=10
auth_param negotiate keep_alive on

auth_param basic program /opt/squid-503/libexec/basic_ldap_auth -P -R -b "dc=mydomain,dc=local" -D "cn=ldap,cn=Users,dc=mydomain,dc=local" -W /opt/squid-503/etc/ldappass.txt -f sAMAccountName=%s -h s-dc00.mydomain.local
auth_param basic children 30
auth_param basic realm Proxy Authentication
auth_param basic credentialsttl 4 hour

external_acl_type NO_INTERNET_USERS ttl=3600 negative_ttl=3600 %LOGIN /opt/squid-503/libexec/ext_kerberos_ldap_group_acl -g INTERNET_OFF -i -D MYDOMAIN.LOCAL
acl NO_INTERNET external NO_INTERNET_USERS

acl SSL_ports port 443
acl SSL_ports port 8543         # LiveU Central
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 81          # coto "yo te conozco" donkey ports
acl Safe_ports port 623         # coto "yo te conozco" donkey ports
acl Safe_ports port 8543        # LiveU Central management
acl Safe_ports port 18255       # LiveU Central files download
acl Safe_ports port 33080       # ddjj
acl Safe_ports port 9090        # asociart
acl Safe_ports port 8713        # handball results
acl Safe_ports port 8080        # cponline.org.ar


# Lists of domains and IPs
acl LS_winupddom dstdomain "/opt/squid-503/acl/winupddom.txt"
acl LS_whitedomains dstdomain "/opt/squid-503/acl/whitedomains.txt"
acl LS_blackdomains dstdomain "/opt/squid-503/acl/blackdomains.txt"
acl LS_porn dstdomain "/opt/squid-503/acl/porn.txt"
acl DOM_Malware dstdomain "/opt/squid-503/acl/DOM_Malware.txt"
acl IP_Malware dst -n "/opt/squid-503/acl/IP_Malware.txt"
acl LS_webex dstdomain "/opt/squid-503/acl/webex.txt"

# Access lists
acl http proto http
acl port_80 port 80
acl port_443 port 443
acl port_9000 port 9000
acl port_5061 port 5061
acl port_5065 port 5065
acl CONNECT method CONNECT

# Denied internet to member users of INTERNET_OFF group 
http_access deny NO_INTERNET all

# Allow webex without authentication
http_access allow http port_80 LS_webex
http_access allow CONNECT port_443 LS_webex
http_access allow port_9000 LS_webex
http_access allow port_5061 LS_webex
http_access allow port_5065 LS_webex

http_access deny LS_blackdomains
http_access deny LS_porn
http_access deny DOM_Malware
http_access deny IP_Malware

# default SQUID rules
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localhost

# Apply 20Mbit/s QoS to members of Active Directory Authenticated Users group
acl Domain_Users note group AQUAAAAAAAUVAAAA7TIfbORUj8PLQv4YAQIAAA==
delay_pools 1
delay_class 1 1
delay_parameters 1 2500000/2500000
delay_access 1 allow Domain_Users

# Allow authenticated users to use internet and deny to all others
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all


Thank you very much in advance for your valuable help.
Best regards
Gabriel


El mar., 29 de sep. de 2020 a la(s) 07:46, Amos Jeffries (squid3@xxxxxxxxxxxxx) escribió:
On 29/09/20 3:55 am, Service MV wrote:
> In my case I have the domains, for example from webex, which I get from
> their official support page. It seems that I am doing something wrong or
> I am not understanding well.
> I base on this documentation
> https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass
>
> The error I get is 407. I understand I should not request authentication
> to those domains with the configuration I have, but apparently it does.
>

In the (possibly outdated now) config you showed earlier the
"NO_INTERNET" ACL might produce a 407 if credentials are completely
missing, but not re-auth if they are invalid.
 If you wish to have a free audit please post your current squid.conf
rules and I will comment on useful changes.


> Below I have a bandwidth control configuration with acl note, I don't
> know if that will be triggering the webex client authentication request.
> Maybe someone with more experience can tell me.

"note" ACL will match if the data is available but not trigger
authentication sequences. That is what makes it so useful for fast-group
access checking logins.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux