Search squid archive

Re: Access based on auth and referer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Amos,

thank you for your answer.
Unfortunately, the config you suggested does not seem to work: using that the proxy ask for password for every sites.
I think this is because CONNECT requests naturally does not present the referer header. The special referer header in only present in subsequent requests, those that get ssl-bumped. 

This is an example CONNECT request found in logs:


CONNECT pixel.sitescout.com:443 HTTP/1.1
Host: pixel.sitescout.com:443
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.76
How can I solve this? Is even possible to mix up auth based and referer based access? 

Thank you for your patience and your kind help,

Matteo

On 3/6/23 07:34, Amos Jeffries wrote:

On 5/03/2023 10:44 pm, Dott. Matteo Savatteri wrote:


Hello fellow Squid users,
we use Squid 3.5 at my company and we want to give access to all sites to authenticated users. If a user is not authenticated we need to allow only HTTP/S requests that present a referer header matching a regex. Is this even possible?
I have tried a combination of proxy_auth and referer_regex ACLs with no results. sslbump is working. 

Try these rules:

  # initial security protection
  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports

  # forbid access to cache manager from non-localhost
  http_access deny manager !localhost
  # leave the below commented to require a login for cache manager access
  # http_access allow manager
  # forbid unauthenticated, except when providing the special Referer header 
  http_access deny !myreferer !password

  # users not denied are allowed
  http_access allow all


Cheers
Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


--
Dott. Matteo Savatteri

Responsabile Ufficio Piattaforme Tecnologiche
Direzione Servizio Bibliotecario di Ateneo
Università degli Studi di Milano

Indirizzo: Via Santa Sofia, 9 20122 MILANO (MI)
Tel. ufficio: 02503 12227
Email: Matteo.Savatteri@xxxxxxxx

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux