On 12/03/21 3:56 am, Ben Goz wrote:
On 11/03/2021 16:44, Amos Jeffries wrote:
On 12/03/21 3:37 am, Ben Goz wrote:
On 11/03/2021 15:50, Antony Stone wrote:
On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
Tell about your network setup and what you are trying to achieve -
we might be
able to suggest solutions.
End users machine using some client application while their system
proxy points to the above squid proxy server.
Please also provide your squid.conf settings so we can check they
achieve your described need(s) properly. At least any lines starting
with the http_access, auth_param, acl, or external_acl_type directives
would be most useful.
Do not forget to anonymize sensitive details before posting. PLEASE do
so in a way that we can tell whether a hidden value was correct for
its usage, and whether any two hidden values are the same or different.
It's fork of default configuration with some changes.
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
#http_access deny !Safe_ports
Please restore this security protection. It prevents malware abusing
HTTP's similarity to certain other protocols to perform attacks
*through* your proxy.
The default Safe_ports list allows all ports not known to be dangerous,
and all ports above 1024. So it should not have any noticeable effect on
to any legitimate HTTP proxy clients - unless there is something really
dodgy happening on your network. If you actually want something like
that happening, then add the appropriate port for that activity to the
Safe_ports list. Do not drop the protection completely.
# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
The same can be said about this. Except this line is arguably even more
important. CONNECT tunnels can literally contain anything. Let clients
do things by adding ports to SSL_Ports list as-needed.
Please do some due-diligence checks before that to verify you are okay
with all the uses of that port. Even ones you think the client
themselves is unlikely to be doing. Once you open a port here *anyone*
with access to the proxy can do whatever they like on that port.
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
auth_param basic program /usr/local/squid/libexec/basic_ncsa_auth
/usr/local/squid/etc/passwd
auth_param basic realm proxy
I notice you are missing a line setting the login TTL value.
There is currently a potential problem in the default which means Squid
encounters situations where the credentials are seen as still going to
be valid for hours so do not get refreshed. But garbage collection
decides to throw them away.
This may not be related to the complaints you reported getting. But
should be fixed to ensure the side effect of having to re-authenticate
users does not complicate your actual problem.
"auth_param basic credentialsttl ..." sets how often Squid will re-check
your auth system to confirm the users is still allowed. Default: 2 hr.
"authenticate_ttl ..." sets how often Squid will try to throw away all
info about old clients being logged in. Default: 1 hr.
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
I recommend a slightly different form of check for logins. It prevents
the situation where a user trying the wrong credentials gets a loop of
popups.
Like so:
http_access deny !authenticated
That guarantees they are not asked to login again if their software
agent (aka browser, or such) provided or can locate the proper credentials.
After that you can add other rules about what the logged in users can
do. eg allow them to do whatever they want. Like so:
http_access allow all
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users