Hey Ben, Since you probably doesn’t have 100k users and there for passwords it wouldn't do a thing. Nobody will feel you dropping the TTL. The content of the credentials file will be in RAM so you should give it a try first and ask later. All The Bests, Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx Zoom: Coming soon -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Ben Goz Sent: Sunday, March 14, 2021 3:26 PM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Protecting squid On 12/03/2021 7:13, Amos Jeffries wrote: > On 12/03/21 3:56 am, Ben Goz wrote: >> >> On 11/03/2021 16:44, Amos Jeffries wrote: >>> On 12/03/21 3:37 am, Ben Goz wrote: >>>> >>>> On 11/03/2021 15:50, Antony Stone wrote: >>>>> On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote: >>>>> >>>>> Tell about your network setup and what you are trying to achieve - >>>>> we might be >>>>> able to suggest solutions. >>>> >>>> End users machine using some client application while their system >>>> proxy points to the above squid proxy server. >>>> >>> >>> Please also provide your squid.conf settings so we can check they >>> achieve your described need(s) properly. At least any lines starting >>> with the http_access, auth_param, acl, or external_acl_type >>> directives would be most useful. >>> >>> Do not forget to anonymize sensitive details before posting. PLEASE >>> do so in a way that we can tell whether a hidden value was correct >>> for its usage, and whether any two hidden values are the same or >>> different. >> >> >> It's fork of default configuration with some changes. >> >> # Recommended minimum Access Permission configuration: >> # >> # Deny requests to certain unsafe ports >> #http_access deny !Safe_ports >> > > > Please restore this security protection. It prevents malware abusing > HTTP's similarity to certain other protocols to perform attacks > *through* your proxy. > > The default Safe_ports list allows all ports not known to be > dangerous, and all ports above 1024. So it should not have any > noticeable effect on to any legitimate HTTP proxy clients - unless > there is something really dodgy happening on your network. If you > actually want something like that happening, then add the appropriate > port for that activity to the Safe_ports list. Do not drop the > protection completely. > > >> # Deny CONNECT to other than secure SSL ports >> #http_access deny CONNECT !SSL_ports >> > > The same can be said about this. Except this line is arguably even > more important. CONNECT tunnels can literally contain anything. Let > clients do things by adding ports to SSL_Ports list as-needed. > > Please do some due-diligence checks before that to verify you are okay > with all the uses of that port. Even ones you think the client > themselves is unlikely to be doing. Once you open a port here *anyone* > with access to the proxy can do whatever they like on that port. > > > >> # Only allow cachemgr access from localhost >> http_access allow localhost manager >> http_access deny manager >> >> http_access allow localnet >> http_access allow localhost >> >> auth_param basic program /usr/local/squid/libexec/basic_ncsa_auth >> /usr/local/squid/etc/passwd >> auth_param basic realm proxy > > I notice you are missing a line setting the login TTL value. > > There is currently a potential problem in the default which means > Squid encounters situations where the credentials are seen as still > going to be valid for hours so do not get refreshed. But garbage > collection decides to throw them away. > > This may not be related to the complaints you reported getting. But > should be fixed to ensure the side effect of having to re-authenticate > users does not complicate your actual problem. > > "auth_param basic credentialsttl ..." sets how often Squid will > re-check your auth system to confirm the users is still allowed. > Default: 2 hr. > > "authenticate_ttl ..." sets how often Squid will try to throw away all > info about old clients being logged in. Default: 1 hr. > > >> acl authenticated proxy_auth REQUIRED >> http_access allow authenticated >> > > I recommend a slightly different form of check for logins. It prevents > the situation where a user trying the wrong credentials gets a loop of > popups. > > Like so: > http_access deny !authenticated > > That guarantees they are not asked to login again if their software > agent (aka browser, or such) provided or can locate the proper > credentials. > > After that you can add other rules about what the logged in users can > do. eg allow them to do whatever they want. Like so: > http_access allow all Can I configure squid authentication TTL per only source IP and ignores other parameters so authentication will be requested only once in TTL for all the sessions? > > > Amos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
