|
Good morning Squid Support, I’ve been setting up a replacement Squid proxy server. After setting up the backend using realmD, sssd, with Kerberos authentication, I tested with a Windows “squidaduser” account. I can verify the user accounts connection to the proxy, and it is passing traffic. The issue is, it’s not being
blocked by ANY of the acl’s we have in place. I was hoping to reach out to help me identify the issue with the squid.conf file. This is my assumption to be the issue but I am pretty new at using Linux and completely unfamiliar with setting up a web proxy.
Environment: Squid Cache: Version 5.5 RHEL 9.4 on a HyperV VM Linux Client Proxy in a Windows AD environment Below I will post the config and attempt to edit out any relevant company/personal information: ############################################################################## # General ############################################################################## max_filedesc 4096 cache_mgr ARCITAdmin@xxxxxxxxxx cache_effective_user squid cache_effective_group squid shutdown_lifetime 5 seconds ############################################################################## # Logging ############################################################################## # this makes the logs readable to humans logformat custom %tl.%03tu %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt access_log daemon:/var/log/squid/access.log custom logfile_rotate 10 debug_options ALL,1 buffered_logs off cache_log /var/log/squid/general cache_access_log /var/log/squid/access.log cache_store_log none log_mime_hdrs off strip_query_terms off ############################################################################## # Network - General/misc ############################################################################## # our HTTP proxy port http_port 10.46.11.69:8080 # loopback management http_port 127.0.0.1:3128 icp_port 0 forwarded_for off ############################################################################## # Network timeout settings ############################################################################## connect_timeout 30 seconds peer_connect_timeout 20 seconds read_timeout 2 minutes request_timeout 2 minutes persistent_request_timeout 30 seconds ############################################################################## # Configuration of the local cache itself ############################################################################## cache_dir ufs /var/spool/squid/ 10000 16 256 coredump_dir /var/spool/squid/ cache_replacement_policy heap LFUDA memory_replacement_policy lru cache_mem 256 MB maximum_object_size 32 MB maximum_object_size_in_memory 512 KB quick_abort_min 16 KB quick_abort_max 1 MB quick_abort_pct 90 range_offset_limit 64 KB ############################################################################## # Cache control ############################################################################## acl no_cache_url url_regex -i "/etc/squid/no_cache_url" cache deny no_cache_url ############################################################################## # Authentication ############################################################################## auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/HTTP.keytab -s HTTP/<domain>.ad.<domain>.com@AD.<domain>.COM auth_param negotiate children 10 auth_param negotiate keep_alive on acl kerb-auth proxy_auth REQUIRED http_access allow kerb-auth ############################################################################## # Access control - shared/common ACL definitions ############################################################################## # acl all src all acl src_self src 127.0.0.0/8 acl src_self src 10.46.11.69 acl dst_self dst 127.0.0.0/8 acl dst_self dst 10.46.11.69 acl from_arc src 10.46.0.0/15 acl local_dst_addr dst 10.0.0.0/8 acl local_dst_addr dst bldg3.<domain>.com acl local_dst_addr dst bldg5.<domain>.com acl local_dst_dom dstdomain <domain> acl proto_FTP proto FTP acl proto_HTTP proto HTTP acl localnet src 10.46.49.0/24 acl localnet src 10.47.49.0/24 acl http_ports port 80 acl http_ports port 81 acl http_ports port 8001 acl http_ports port 8080 acl Ssl_ports port 443 acl Ssl_ports port 9571 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 acl ssh_ports port 22 acl ftp_ports port 21 http_access deny !Safe_ports acl method_CONNECT method CONNECT dsacl methods_std method GET HEAD POST PUT DELETE acl methods_std method TRACE OPTIONS ############################################################################## # Access control - maintenance ############################################################################## acl purge method PURGE http_access allow purge src_self http_access deny purge acl cache_manager proto cache_object cachemgr_passwd disabled shutdown offline_toggle cachemgr_passwd none all http_access allow cache_manager src_self http_access deny cache_manager ############################################################################# # Access control - general proxy ############################################################################## http_access deny dst_self http_access deny src_self http_access deny !from_arc http_access allow local_dst_dom http_reply_access allow local_dst_dom http_access allow local_dst_addr http_reply_access allow local_dst_addr acl authless_src src "/etc/squid/authless_src" http_access allow authless_src http_reply_access allow authless_src acl authless_dst dstdomain "/etc/squid/authless_dst" http_access allow authless_dst http_reply_access allow authless_dst acl bad_domains_preauth dstdomain "/etc/squid/bad_domains_preauth" http_access deny bad_domains_preauth acl block_user proxy_auth_regex -i "/etc/squid/block_user" http_access deny block_user acl bad_exception_urls url_regex -i "/etc/squid/bad_exception_urls" acl exec_files url_regex -i "/etc/squid/exec_files" acl exec_users proxy_auth_regex -i "/etc/squid/exec_users" http_access deny !bad_exception_urls !exec_users exec_files deny_info ERR_BLOCK_TYPE exec_files acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users" acl mmedia_sites dstdomain "/etc/squid/mmedia_sites" http_access allow methods_std proto_HTTP http_ports mmedia_sites mmedia_users http_reply_access allow methods_std proto_HTTP http_ports mmedia_sites mmedia_users http_access allow method_CONNECT ssl_ports mmedia_sites mmedia_users http_reply_access allow method_CONNECT ssl_ports mmedia_sites mmedia_users acl bad_domains dstdomain "/etc/squid/bad_domains" http_access deny !bad_exception_urls bad_domains deny_info ERR_BLOCK_DST bad_domains acl bad_domains_regex dstdom_regex -i "/etc/squid/bad_domains_regex" http_access deny !bad_exception_urls bad_domains_regex deny_info ERR_BLOCK_DST bad_domains_regex acl bad_urls url_regex -i "/etc/squid/bad_urls" http_access deny !bad_exception_urls bad_urls deny_info ERR_BLOCK_DST bad_urls acl bad_files urlpath_regex -i "/etc/squid/bad_files" http_access deny !bad_exception_urls bad_files deny_info ERR_BLOCK_TYPE bad_files acl bad_types rep_mime_type -i "/etc/squid/bad_types" http_reply_access deny bad_types !bad_exception_urls deny_info ERR_BLOCK_TYPE bad_types acl fsoguest_user proxy_auth_regex -i fsoguest acl fsoguest_dst dstdomain .opm.gov acl fsoguest_dst dstdomain .google-analytics.com acl fsoguest_dst dstdomain pki.google.com acl fsoguest_dst dstdomain ajax.googleapis.com acl fsoguest_dst dstdomain fonts.googleapis.com acl fsoguest_dst dstdomain html5shiv.googlecode.com acl fsoguest_dst dstdomain fonts.gstatic.com acl fsoguest_dst dstdomain clients1.google.com acl fsoguest_dst dstdomain ajax.microsoft.com acl fsoguest_dst dstdomain ajax.aspnetcdn.com acl fsoguest_dst dstdomain .geotrust.com acl fsoguest_dst dstdomain .akamaihd.net acl fsoguest_dst dstdomain symcd.com http_access allow methods_std proto_HTTP http_ports fsoguest_dst fsoguest_user http_access allow method_CONNECT ssl_ports fsoguest_dst fsoguest_user http_access deny fsoguest_user http_access allow http_ports proto_HTTP methods_std http_access allow method_CONNECT ssl_ports http_access deny method_CONNECT http_access allow ftp_ports proto_FTP http_access deny all http_reply_access allow all ############################################################################## # END OF FILE ############################################################################## |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
