On 2024-08-19 11:16, Piana, Josh wrote:
After setting up the backend using realmD, sssd, with Kerberos
authentication, I tested with a Windows “squidaduser” account. I can
verify the user accounts connection to the proxy, and it is passing
traffic. The issue is, it’s not being blocked by ANY of the acl’s we
have in place. I was hoping to reach out to help me identify the issue
with the squid.conf file. This is my assumption to be the issue but I am
pretty new at using Linux and completely unfamiliar with setting up a
web proxy.
In most cases, when Squid does not block, it allows. Squid allows when
an "http_access allow" rule matches. Now look at _all_ of your
http_access rules and ask yourself: Which "http_access allow" rule
matches in my test case?
I do not know enough about your test logic, so I can only speculate that
the answer to that question is "It is the very first http_access rule!":
http_access allow kerb-auth
In other words, your configuration allows all authenticated clients. In
other words, it does not block any authenticated clients. Is that what
you want?
HTH,
Alex.
Environment:
Squid Cache: Version 5.5
RHEL 9.4 on a HyperV VM
Linux Client Proxy in a Windows AD environment
Below I will post the config and attempt to edit out any relevant
company/personal information:
##############################################################################
# General
##############################################################################
max_filedesc 4096
cache_mgr ARCITAdmin@xxxxxxxxxx
cache_effective_user squid
cache_effective_group squid
shutdown_lifetime 5 seconds
##############################################################################
# Logging
##############################################################################
# this makes the logs readable to humans
logformat custom %tl.%03tu %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
access_log daemon:/var/log/squid/access.log custom
logfile_rotate 10
debug_options ALL,1
buffered_logs off
cache_log /var/log/squid/general
cache_access_log /var/log/squid/access.log
cache_store_log none
log_mime_hdrs off
strip_query_terms off
##############################################################################
# Network - General/misc
##############################################################################
# our HTTP proxy port
http_port 10.46.11.69:8080
# loopback management
http_port 127.0.0.1:3128
icp_port 0
forwarded_for off
##############################################################################
# Network timeout settings
##############################################################################
connect_timeout 30 seconds
peer_connect_timeout 20 seconds
read_timeout 2 minutes
request_timeout 2 minutes
persistent_request_timeout 30 seconds
##############################################################################
# Configuration of the local cache itself
##############################################################################
cache_dir ufs /var/spool/squid/ 10000 16 256
coredump_dir /var/spool/squid/
cache_replacement_policy heap LFUDA
memory_replacement_policy lru
cache_mem 256 MB
maximum_object_size 32 MB
maximum_object_size_in_memory 512 KB
quick_abort_min 16 KB
quick_abort_max 1 MB
quick_abort_pct 90
range_offset_limit 64 KB
##############################################################################
# Cache control
##############################################################################
acl no_cache_url url_regex -i "/etc/squid/no_cache_url"
cache deny no_cache_url
##############################################################################
# Authentication
##############################################################################
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k
/etc/squid/HTTP.keytab -s HTTP/<domain>.ad.<domain>.com@AD.<domain>.COM
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl kerb-auth proxy_auth REQUIRED
http_access allow kerb-auth
##############################################################################
# Access control - shared/common ACL definitions
##############################################################################
# acl all src all
acl src_self src 127.0.0.0/8
acl src_self src 10.46.11.69
acl dst_self dst 127.0.0.0/8
acl dst_self dst 10.46.11.69
acl from_arc src 10.46.0.0/15
acl local_dst_addr dst 10.0.0.0/8
acl local_dst_addr dst bldg3.<domain>.com
acl local_dst_addr dst bldg5.<domain>.com
acl local_dst_dom dstdomain <domain>
acl proto_FTP proto FTP
acl proto_HTTP proto HTTP
acl localnet src 10.46.49.0/24
acl localnet src 10.47.49.0/24
acl http_ports port 80
acl http_ports port 81
acl http_ports port 8001
acl http_ports port 8080
acl Ssl_ports port 443
acl Ssl_ports port 9571
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl ssh_ports port 22
acl ftp_ports port 21
http_access deny !Safe_ports
acl method_CONNECT method CONNECT
dsacl methods_std method GET HEAD POST PUT DELETE
acl methods_std method TRACE OPTIONS
##############################################################################
# Access control - maintenance
##############################################################################
acl purge method PURGE
http_access allow purge src_self
http_access deny purge
acl cache_manager proto cache_object
cachemgr_passwd disabled shutdown offline_toggle
cachemgr_passwd none all
http_access allow cache_manager src_self
http_access deny cache_manager
#############################################################################
# Access control - general proxy
##############################################################################
http_access deny dst_self
http_access deny src_self
http_access deny !from_arc
http_access allow local_dst_dom
http_reply_access allow local_dst_dom
http_access allow local_dst_addr
http_reply_access allow local_dst_addr
acl authless_src src "/etc/squid/authless_src"
http_access allow authless_src
http_reply_access allow authless_src
acl authless_dst dstdomain "/etc/squid/authless_dst"
http_access allow authless_dst
http_reply_access allow authless_dst
acl bad_domains_preauth dstdomain "/etc/squid/bad_domains_preauth"
http_access deny bad_domains_preauth
acl block_user proxy_auth_regex -i "/etc/squid/block_user"
http_access deny block_user
acl bad_exception_urls url_regex -i "/etc/squid/bad_exception_urls"
acl exec_files url_regex -i "/etc/squid/exec_files"
acl exec_users proxy_auth_regex -i "/etc/squid/exec_users"
http_access deny !bad_exception_urls !exec_users exec_files
deny_info ERR_BLOCK_TYPE exec_files
acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users"
acl mmedia_sites dstdomain "/etc/squid/mmedia_sites"
http_access allow methods_std proto_HTTP http_ports
mmedia_sites mmedia_users
http_reply_access allow methods_std proto_HTTP http_ports
mmedia_sites mmedia_users
http_access allow method_CONNECT ssl_ports
mmedia_sites mmedia_users
http_reply_access allow method_CONNECT ssl_ports
mmedia_sites mmedia_users
acl bad_domains dstdomain "/etc/squid/bad_domains"
http_access deny !bad_exception_urls bad_domains
deny_info ERR_BLOCK_DST bad_domains
acl bad_domains_regex dstdom_regex -i "/etc/squid/bad_domains_regex"
http_access deny !bad_exception_urls bad_domains_regex
deny_info ERR_BLOCK_DST bad_domains_regex
acl bad_urls url_regex -i "/etc/squid/bad_urls"
http_access deny !bad_exception_urls bad_urls
deny_info ERR_BLOCK_DST bad_urls
acl bad_files urlpath_regex -i "/etc/squid/bad_files"
http_access deny !bad_exception_urls bad_files
deny_info ERR_BLOCK_TYPE bad_files
acl bad_types rep_mime_type -i "/etc/squid/bad_types"
http_reply_access deny bad_types !bad_exception_urls
deny_info ERR_BLOCK_TYPE bad_types
acl fsoguest_user proxy_auth_regex -i fsoguest
acl fsoguest_dst dstdomain .opm.gov
acl fsoguest_dst dstdomain .google-analytics.com
acl fsoguest_dst dstdomain pki.google.com
acl fsoguest_dst dstdomain ajax.googleapis.com
acl fsoguest_dst dstdomain fonts.googleapis.com
acl fsoguest_dst dstdomain html5shiv.googlecode.com
acl fsoguest_dst dstdomain fonts.gstatic.com
acl fsoguest_dst dstdomain clients1.google.com
acl fsoguest_dst dstdomain ajax.microsoft.com
acl fsoguest_dst dstdomain ajax.aspnetcdn.com
acl fsoguest_dst dstdomain .geotrust.com
acl fsoguest_dst dstdomain .akamaihd.net
acl fsoguest_dst dstdomain symcd.com
http_access allow methods_std proto_HTTP http_ports fsoguest_dst
fsoguest_user
http_access allow method_CONNECT ssl_ports fsoguest_dst
fsoguest_user
http_access deny fsoguest_user
http_access allow http_ports proto_HTTP methods_std
http_access allow method_CONNECT ssl_ports
http_access deny method_CONNECT
http_access allow ftp_ports proto_FTP
http_access deny all
http_reply_access allow all
##############################################################################
# END OF FILE
##############################################################################
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
