Search squid archive

Squid.conf Issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Good morning Squid Support,

 

I’ve been setting up a replacement Squid proxy server.

 

After setting up the backend using realmD, sssd, with Kerberos authentication, I tested with a Windows “squidaduser” account. I can verify the user accounts connection to the proxy, and it is passing traffic. The issue is, it’s not being blocked by ANY of the acl’s we have in place. I was hoping to reach out to help me identify the issue with the squid.conf file. This is my assumption to be the issue but I am pretty new at using Linux and completely unfamiliar with setting up a web proxy.

 

Environment:

Squid Cache: Version 5.5

RHEL 9.4 on a HyperV VM

Linux Client Proxy in a Windows AD environment

 

 

Below I will post the config and attempt to edit out any relevant company/personal information:

 

##############################################################################

# General

##############################################################################

 

max_filedesc 4096

cache_mgr ARCITAdmin@xxxxxxxxxx

cache_effective_user squid

cache_effective_group squid

shutdown_lifetime 5 seconds

 

##############################################################################

# Logging

##############################################################################

 

# this makes the logs readable to humans

logformat custom %tl.%03tu %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt

access_log daemon:/var/log/squid/access.log custom

 

 

logfile_rotate 10

debug_options ALL,1

buffered_logs off

cache_log /var/log/squid/general

cache_access_log /var/log/squid/access.log

cache_store_log none

log_mime_hdrs off

strip_query_terms off

 

##############################################################################

# Network - General/misc

##############################################################################

 

# our HTTP proxy port

http_port 10.46.11.69:8080

# loopback management

http_port 127.0.0.1:3128

 

icp_port 0

forwarded_for off

 

##############################################################################

# Network timeout settings

##############################################################################

 

connect_timeout 30 seconds

peer_connect_timeout 20 seconds

read_timeout 2 minutes

request_timeout 2 minutes

persistent_request_timeout 30 seconds

 

##############################################################################

# Configuration of the local cache itself

##############################################################################

 

cache_dir ufs /var/spool/squid/ 10000 16 256

coredump_dir /var/spool/squid/

cache_replacement_policy heap LFUDA

memory_replacement_policy lru

cache_mem 256 MB

maximum_object_size 32 MB

maximum_object_size_in_memory 512 KB

quick_abort_min 16 KB

quick_abort_max 1 MB

quick_abort_pct 90

range_offset_limit 64 KB

 

##############################################################################

# Cache control

##############################################################################

 

acl no_cache_url url_regex -i "/etc/squid/no_cache_url"

cache deny no_cache_url

 

##############################################################################

# Authentication

##############################################################################

 

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/HTTP.keytab -s HTTP/<domain>.ad.<domain>.com@AD.<domain>.COM

auth_param negotiate children 10

auth_param negotiate keep_alive on

acl kerb-auth proxy_auth REQUIRED

http_access allow kerb-auth

 

##############################################################################

# Access control - shared/common ACL definitions

##############################################################################

 

# acl all src all

acl src_self src 127.0.0.0/8

acl src_self src 10.46.11.69

acl dst_self dst 127.0.0.0/8

acl dst_self dst 10.46.11.69

acl from_arc src 10.46.0.0/15

acl local_dst_addr dst 10.0.0.0/8

acl local_dst_addr dst bldg3.<domain>.com

acl local_dst_addr dst bldg5.<domain>.com

acl local_dst_dom dstdomain <domain>

acl proto_FTP proto FTP

acl proto_HTTP proto HTTP

acl localnet src 10.46.49.0/24           

acl localnet src 10.47.49.0/24           

 

acl http_ports port 80    

acl http_ports port 81                    

acl http_ports port 8001               

acl http_ports port 8080               

 

acl Ssl_ports port 443

acl Ssl_ports port 9571    

acl SSL_ports port 443

acl Safe_ports port 80                 

acl Safe_ports port 21                 

acl Safe_ports port 443                

 

acl ssh_ports port 22

acl ftp_ports port 21

http_access deny !Safe_ports

acl method_CONNECT method CONNECT

dsacl methods_std method GET HEAD POST PUT DELETE

acl methods_std method TRACE OPTIONS

 

##############################################################################

# Access control - maintenance

##############################################################################

 

acl purge method PURGE

http_access allow purge src_self

http_access deny purge

acl cache_manager proto cache_object

cachemgr_passwd disabled shutdown offline_toggle

cachemgr_passwd none all

http_access allow cache_manager src_self

http_access deny cache_manager

 

#############################################################################

# Access control - general proxy

##############################################################################

 

http_access deny dst_self

http_access deny src_self

http_access deny !from_arc

http_access       allow local_dst_dom

http_reply_access           allow local_dst_dom

http_access       allow local_dst_addr

http_reply_access           allow local_dst_addr

acl authless_src src "/etc/squid/authless_src"

http_access       allow authless_src

http_reply_access           allow authless_src

acl authless_dst dstdomain "/etc/squid/authless_dst"

http_access       allow authless_dst

http_reply_access           allow authless_dst

acl bad_domains_preauth dstdomain "/etc/squid/bad_domains_preauth"

http_access deny bad_domains_preauth

 

acl block_user proxy_auth_regex -i "/etc/squid/block_user"

http_access deny block_user

acl bad_exception_urls url_regex -i "/etc/squid/bad_exception_urls"

acl exec_files url_regex -i "/etc/squid/exec_files"

acl exec_users proxy_auth_regex -i "/etc/squid/exec_users"

http_access deny !bad_exception_urls !exec_users exec_files

deny_info ERR_BLOCK_TYPE exec_files

acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users"

acl mmedia_sites dstdomain "/etc/squid/mmedia_sites"

http_access       allow methods_std    proto_HTTP http_ports mmedia_sites mmedia_users

http_reply_access allow methods_std    proto_HTTP http_ports mmedia_sites mmedia_users

http_access       allow method_CONNECT            ssl_ports  mmedia_sites mmedia_users

http_reply_access allow method_CONNECT            ssl_ports  mmedia_sites mmedia_users

 

acl bad_domains dstdomain "/etc/squid/bad_domains"

http_access deny !bad_exception_urls bad_domains

deny_info ERR_BLOCK_DST         bad_domains

acl bad_domains_regex dstdom_regex -i "/etc/squid/bad_domains_regex"

http_access deny !bad_exception_urls bad_domains_regex

deny_info ERR_BLOCK_DST         bad_domains_regex

acl bad_urls url_regex -i "/etc/squid/bad_urls"

http_access deny !bad_exception_urls bad_urls

deny_info ERR_BLOCK_DST         bad_urls

acl bad_files urlpath_regex -i "/etc/squid/bad_files"

http_access deny !bad_exception_urls bad_files

deny_info ERR_BLOCK_TYPE bad_files

acl bad_types rep_mime_type -i "/etc/squid/bad_types"

http_reply_access deny bad_types !bad_exception_urls

deny_info ERR_BLOCK_TYPE bad_types

 

acl fsoguest_user proxy_auth_regex -i fsoguest

acl fsoguest_dst dstdomain .opm.gov

acl fsoguest_dst dstdomain .google-analytics.com

acl fsoguest_dst dstdomain pki.google.com

acl fsoguest_dst dstdomain ajax.googleapis.com

acl fsoguest_dst dstdomain fonts.googleapis.com

acl fsoguest_dst dstdomain html5shiv.googlecode.com

acl fsoguest_dst dstdomain fonts.gstatic.com

acl fsoguest_dst dstdomain clients1.google.com

acl fsoguest_dst dstdomain ajax.microsoft.com

acl fsoguest_dst dstdomain ajax.aspnetcdn.com

acl fsoguest_dst dstdomain .geotrust.com

acl fsoguest_dst dstdomain .akamaihd.net

acl fsoguest_dst dstdomain symcd.com

http_access allow methods_std proto_HTTP http_ports fsoguest_dst fsoguest_user

http_access allow method_CONNECT         ssl_ports  fsoguest_dst fsoguest_user

http_access deny fsoguest_user

 

http_access allow http_ports proto_HTTP methods_std

http_access allow method_CONNECT ssl_ports

http_access deny method_CONNECT

 

http_access allow ftp_ports proto_FTP

http_access deny all

http_reply_access allow all

 

##############################################################################

# END OF FILE

##############################################################################

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux