Search squid archive

Re: Protecting squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/03/21 3:56 am, Ben Goz wrote:

On 11/03/2021 16:44, Amos Jeffries wrote:
On 12/03/21 3:37 am, Ben Goz wrote:

On 11/03/2021 15:50, Antony Stone wrote:
On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:

Tell about your network setup and what you are trying to achieve - we might be
able to suggest solutions.

End users machine using some client application while their system proxy points to the above squid proxy server.


Please also provide your squid.conf settings so we can check they achieve your described need(s) properly. At least any lines starting with the http_access, auth_param, acl, or external_acl_type directives would be most useful.

Do not forget to anonymize sensitive details before posting. PLEASE do so in a way that we can tell whether a hidden value was correct for its usage, and whether any two hidden values are the same or different.


It's fork of default configuration with some changes.

# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
#http_access deny !Safe_ports



Please restore this security protection. It prevents malware abusing HTTP's similarity to certain other protocols to perform attacks *through* your proxy.

The default Safe_ports list allows all ports not known to be dangerous, and all ports above 1024. So it should not have any noticeable effect on to any legitimate HTTP proxy clients - unless there is something really dodgy happening on your network. If you actually want something like that happening, then add the appropriate port for that activity to the Safe_ports list. Do not drop the protection completely.


# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports


The same can be said about this. Except this line is arguably even more important. CONNECT tunnels can literally contain anything. Let clients do things by adding ports to SSL_Ports list as-needed.

Please do some due-diligence checks before that to verify you are okay with all the uses of that port. Even ones you think the client themselves is unlikely to be doing. Once you open a port here *anyone* with access to the proxy can do whatever they like on that port.



# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost

auth_param basic program /usr/local/squid/libexec/basic_ncsa_auth /usr/local/squid/etc/passwd
auth_param basic realm proxy

I notice you are missing a line setting the login TTL value.

There is currently a potential problem in the default which means Squid encounters situations where the credentials are seen as still going to be valid for hours so do not get refreshed. But garbage collection decides to throw them away.

This may not be related to the complaints you reported getting. But should be fixed to ensure the side effect of having to re-authenticate users does not complicate your actual problem.

"auth_param basic credentialsttl ..." sets how often Squid will re-check your auth system to confirm the users is still allowed. Default: 2 hr.

"authenticate_ttl ..." sets how often Squid will try to throw away all info about old clients being logged in. Default: 1 hr.


acl authenticated proxy_auth REQUIRED
http_access allow authenticated


I recommend a slightly different form of check for logins. It prevents the situation where a user trying the wrong credentials gets a loop of popups.

Like so:
 http_access deny !authenticated

That guarantees they are not asked to login again if their software agent (aka browser, or such) provided or can locate the proper credentials.

After that you can add other rules about what the logged in users can do. eg allow them to do whatever they want. Like so:
 http_access allow all


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux