Alex,
You make an extremely valid point! I added "http_access allow kerb-auth" as part of the generic authentication settings.
We still want authenticated users to access but we want the rules and ACL's prior to that to catch them first. I apologize, I'm quite new with Linux. Should I move that parameter to near the end of the config file or remove it all together?
-----Original Message-----
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Alex Rousskov
Sent: Monday, August 19, 2024 12:12 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Squid.conf Issues
Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On 2024-08-19 11:16, Piana, Josh wrote:
> After setting up the backend using realmD, sssd, with Kerberos
> authentication, I tested with a Windows “squidaduser” account. I can
> verify the user accounts connection to the proxy, and it is passing
> traffic. The issue is, it’s not being blocked by ANY of the acl’s we
> have in place. I was hoping to reach out to help me identify the issue
> with the squid.conf file. This is my assumption to be the issue but I
> am pretty new at using Linux and completely unfamiliar with setting up
> a web proxy.
In most cases, when Squid does not block, it allows. Squid allows when an "http_access allow" rule matches. Now look at _all_ of your http_access rules and ask yourself: Which "http_access allow" rule matches in my test case?
I do not know enough about your test logic, so I can only speculate that the answer to that question is "It is the very first http_access rule!":
http_access allow kerb-auth
In other words, your configuration allows all authenticated clients. In other words, it does not block any authenticated clients. Is that what you want?
HTH,
Alex.
> Environment:
>
> Squid Cache: Version 5.5
>
> RHEL 9.4 on a HyperV VM
>
> Linux Client Proxy in a Windows AD environment
>
> Below I will post the config and attempt to edit out any relevant
> company/personal information:
>
> ######################################################################
> ########
>
> # General
>
> ######################################################################
> ########
>
> max_filedesc 4096
>
> cache_mgr ARCITAdmin@xxxxxxxxxx
>
> cache_effective_user squid
>
> cache_effective_group squid
>
> shutdown_lifetime 5 seconds
>
> ######################################################################
> ########
>
> # Logging
>
> ######################################################################
> ########
>
> # this makes the logs readable to humans
>
> logformat custom %tl.%03tu %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a
> %mt
>
> access_log daemon:/var/log/squid/access.log custom
>
> logfile_rotate 10
>
> debug_options ALL,1
>
> buffered_logs off
>
> cache_log /var/log/squid/general
>
> cache_access_log /var/log/squid/access.log
>
> cache_store_log none
>
> log_mime_hdrs off
>
> strip_query_terms off
>
> ######################################################################
> ########
>
> # Network - General/misc
>
> ######################################################################
> ########
>
> # our HTTP proxy port
>
> http_port 10.46.11.69:8080
>
> # loopback management
>
> http_port 127.0.0.1:3128
>
> icp_port 0
>
> forwarded_for off
>
> ######################################################################
> ########
>
> # Network timeout settings
>
> ######################################################################
> ########
>
> connect_timeout 30 seconds
>
> peer_connect_timeout 20 seconds
>
> read_timeout 2 minutes
>
> request_timeout 2 minutes
>
> persistent_request_timeout 30 seconds
>
> ######################################################################
> ########
>
> # Configuration of the local cache itself
>
> ######################################################################
> ########
>
> cache_dir ufs /var/spool/squid/ 10000 16 256
>
> coredump_dir /var/spool/squid/
>
> cache_replacement_policy heap LFUDA
>
> memory_replacement_policy lru
>
> cache_mem 256 MB
>
> maximum_object_size 32 MB
>
> maximum_object_size_in_memory 512 KB
>
> quick_abort_min 16 KB
>
> quick_abort_max 1 MB
>
> quick_abort_pct 90
>
> range_offset_limit 64 KB
>
> ######################################################################
> ########
>
> # Cache control
>
> ######################################################################
> ########
>
> acl no_cache_url url_regex -i "/etc/squid/no_cache_url"
>
> cache deny no_cache_url
>
> ######################################################################
> ########
>
> # Authentication
>
> ######################################################################
> ########
>
> auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
> -k /etc/squid/HTTP.keytab -s
> HTTP/<domain>.ad.<domain>.com@AD.<domain>.COM
>
> auth_param negotiate children 10
>
> auth_param negotiate keep_alive on
>
> acl kerb-auth proxy_auth REQUIRED
>
> http_access allow kerb-auth
>
> ######################################################################
> ########
>
> # Access control - shared/common ACL definitions
>
> ######################################################################
> ########
>
> # acl all src all
>
> acl src_self src 127.0.0.0/8
>
> acl src_self src 10.46.11.69
>
> acl dst_self dst 127.0.0.0/8
>
> acl dst_self dst 10.46.11.69
>
> acl from_arc src 10.46.0.0/15
>
> acl local_dst_addr dst 10.0.0.0/8
>
> acl local_dst_addr dst bldg3.<domain>.com
>
> acl local_dst_addr dst bldg5.<domain>.com
>
> acl local_dst_dom dstdomain <domain>
>
> acl proto_FTP proto FTP
>
> acl proto_HTTP proto HTTP
>
> acl localnet src 10.46.49.0/24
>
> acl localnet src 10.47.49.0/24
>
> acl http_ports port 80
>
> acl http_ports port 81
>
> acl http_ports port 8001
>
> acl http_ports port 8080
>
> acl Ssl_ports port 443
>
> acl Ssl_ports port 9571
>
> acl SSL_ports port 443
>
> acl Safe_ports port 80
>
> acl Safe_ports port 21
>
> acl Safe_ports port 443
>
> acl ssh_ports port 22
>
> acl ftp_ports port 21
>
> http_access deny !Safe_ports
>
> acl method_CONNECT method CONNECT
>
> dsacl methods_std method GET HEAD POST PUT DELETE
>
> acl methods_std method TRACE OPTIONS
>
> ######################################################################
> ########
>
> # Access control - maintenance
>
> ######################################################################
> ########
>
> acl purge method PURGE
>
> http_access allow purge src_self
>
> http_access deny purge
>
> acl cache_manager proto cache_object
>
> cachemgr_passwd disabled shutdown offline_toggle
>
> cachemgr_passwd none all
>
> http_access allow cache_manager src_self
>
> http_access deny cache_manager
>
> ######################################################################
> #######
>
> # Access control - general proxy
>
> ######################################################################
> ########
>
> http_access deny dst_self
>
> http_access deny src_self
>
> http_access deny !from_arc
>
> http_access allow local_dst_dom
>
> http_reply_access allow local_dst_dom
>
> http_access allow local_dst_addr
>
> http_reply_access allow local_dst_addr
>
> acl authless_src src "/etc/squid/authless_src"
>
> http_access allow authless_src
>
> http_reply_access allow authless_src
>
> acl authless_dst dstdomain "/etc/squid/authless_dst"
>
> http_access allow authless_dst
>
> http_reply_access allow authless_dst
>
> acl bad_domains_preauth dstdomain "/etc/squid/bad_domains_preauth"
>
> http_access deny bad_domains_preauth
>
> acl block_user proxy_auth_regex -i "/etc/squid/block_user"
>
> http_access deny block_user
>
> acl bad_exception_urls url_regex -i "/etc/squid/bad_exception_urls"
>
> acl exec_files url_regex -i "/etc/squid/exec_files"
>
> acl exec_users proxy_auth_regex -i "/etc/squid/exec_users"
>
> http_access deny !bad_exception_urls !exec_users exec_files
>
> deny_info ERR_BLOCK_TYPE exec_files
>
> acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users"
>
> acl mmedia_sites dstdomain "/etc/squid/mmedia_sites"
>
> http_access allow methods_std proto_HTTP http_ports
> mmedia_sites mmedia_users
>
> http_reply_access allow methods_std proto_HTTP http_ports
> mmedia_sites mmedia_users
>
> http_access allow method_CONNECT ssl_ports
> mmedia_sites mmedia_users
>
> http_reply_access allow method_CONNECT ssl_ports
> mmedia_sites mmedia_users
>
> acl bad_domains dstdomain "/etc/squid/bad_domains"
>
> http_access deny !bad_exception_urls bad_domains
>
> deny_info ERR_BLOCK_DST bad_domains
>
> acl bad_domains_regex dstdom_regex -i "/etc/squid/bad_domains_regex"
>
> http_access deny !bad_exception_urls bad_domains_regex
>
> deny_info ERR_BLOCK_DST bad_domains_regex
>
> acl bad_urls url_regex -i "/etc/squid/bad_urls"
>
> http_access deny !bad_exception_urls bad_urls
>
> deny_info ERR_BLOCK_DST bad_urls
>
> acl bad_files urlpath_regex -i "/etc/squid/bad_files"
>
> http_access deny !bad_exception_urls bad_files
>
> deny_info ERR_BLOCK_TYPE bad_files
>
> acl bad_types rep_mime_type -i "/etc/squid/bad_types"
>
> http_reply_access deny bad_types !bad_exception_urls
>
> deny_info ERR_BLOCK_TYPE bad_types
>
> acl fsoguest_user proxy_auth_regex -i fsoguest
>
> acl fsoguest_dst dstdomain .opm.gov
>
> acl fsoguest_dst dstdomain .google-analytics.com
>
> acl fsoguest_dst dstdomain pki.google.com
>
> acl fsoguest_dst dstdomain ajax.googleapis.com
>
> acl fsoguest_dst dstdomain fonts.googleapis.com
>
> acl fsoguest_dst dstdomain html5shiv.googlecode.com
>
> acl fsoguest_dst dstdomain fonts.gstatic.com
>
> acl fsoguest_dst dstdomain clients1.google.com
>
> acl fsoguest_dst dstdomain ajax.microsoft.com
>
> acl fsoguest_dst dstdomain ajax.aspnetcdn.com
>
> acl fsoguest_dst dstdomain .geotrust.com
>
> acl fsoguest_dst dstdomain .akamaihd.net
>
> acl fsoguest_dst dstdomain symcd.com
>
> http_access allow methods_std proto_HTTP http_ports fsoguest_dst
> fsoguest_user
>
> http_access allow method_CONNECT ssl_ports fsoguest_dst
> fsoguest_user
>
> http_access deny fsoguest_user
>
> http_access allow http_ports proto_HTTP methods_std
>
> http_access allow method_CONNECT ssl_ports
>
> http_access deny method_CONNECT
>
> http_access allow ftp_ports proto_FTP
>
> http_access deny all
>
> http_reply_access allow all
>
> ######################################################################
> ########
>
> # END OF FILE
>
> ######################################################################
> ########
>
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> https://list/
> s.squid-cache.org%2Flistinfo%2Fsquid-users&data=05%7C02%7Cjosh.piana%4
> 0hexcel.com%7C5d5a04837ae140f50c6908dcc0699c20%7C4248050df19546d5ac9c0
> c7c52b04cae%7C0%7C0%7C638596807060587199%7CUnknown%7CTWFpbGZsb3d8eyJWI
> joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7
> C%7C&sdata=pFmtS4HPHBRLFvcthpxiXT8mgF7mmpsGfQYF1wlivJo%3D&reserved=0
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
