On 2024-08-19 13:48, Piana, Josh wrote:
I added "http_access allow kerb-auth" as part of the generic
authentication settings.
We still want authenticated users to access but we want the rules and
ACL's prior to that to catch them first.
If you want http_access rule X to be checked before http_access rule Y,
you have to list X above Y in squid.conf: Squid checks all http_access
directives one by one, top to bottom. At the first match, Squid applies
the matched action ("allow" or "deny") and does not check any
other/lower http_access rules.
I apologize, I'm quite new with Linux. Should I move that parameter
to near the end of the config file or remove it all together?
FWIW, these access controls are not Linux-specific. I cannot tell you
what http_access order is correct because I do not know what "We want
authenticated users to access but we want to catch them first" means to
you in terms of actual access rules. There are many ways to interpret
that phrase...
In general, rules that do not depend on whether a user is authenticated
should go above the rules that do depend (or require) authentication.
This principle avoids needless authentication of potentially malicious
requests. FWIW, squid.conf.default has http_access order template that
work for most use cases; you may want to start with that template rather
than starting from scratch.
For example, if an "allow authless_dst" rule is meant to apply to both
already-authenticated and not-yet-authenticated requests, then it
probably should go above the "allow kerb-auth" rule (which triggers
authentication), but there are many other ways these two rules may
interact. I cannot tell which order matches your access policies/desires.
HTH,
Alex.
-----Original Message-----
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Alex Rousskov
Sent: Monday, August 19, 2024 12:12 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: Squid.conf Issues
Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On 2024-08-19 11:16, Piana, Josh wrote:
After setting up the backend using realmD, sssd, with Kerberos
authentication, I tested with a Windows “squidaduser” account. I can
verify the user accounts connection to the proxy, and it is passing
traffic. The issue is, it’s not being blocked by ANY of the acl’s we
have in place. I was hoping to reach out to help me identify the issue
with the squid.conf file. This is my assumption to be the issue but I
am pretty new at using Linux and completely unfamiliar with setting up
a web proxy.
In most cases, when Squid does not block, it allows. Squid allows when an "http_access allow" rule matches. Now look at _all_ of your http_access rules and ask yourself: Which "http_access allow" rule matches in my test case?
I do not know enough about your test logic, so I can only speculate that the answer to that question is "It is the very first http_access rule!":
http_access allow kerb-auth
In other words, your configuration allows all authenticated clients. In other words, it does not block any authenticated clients. Is that what you want?
HTH,
Alex.
Environment:
Squid Cache: Version 5.5
RHEL 9.4 on a HyperV VM
Linux Client Proxy in a Windows AD environment
Below I will post the config and attempt to edit out any relevant
company/personal information:
######################################################################
########
# General
######################################################################
########
max_filedesc 4096
cache_mgr ARCITAdmin@xxxxxxxxxx
cache_effective_user squid
cache_effective_group squid
shutdown_lifetime 5 seconds
######################################################################
########
# Logging
######################################################################
########
# this makes the logs readable to humans
logformat custom %tl.%03tu %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a
%mt
access_log daemon:/var/log/squid/access.log custom
logfile_rotate 10
debug_options ALL,1
buffered_logs off
cache_log /var/log/squid/general
cache_access_log /var/log/squid/access.log
cache_store_log none
log_mime_hdrs off
strip_query_terms off
######################################################################
########
# Network - General/misc
######################################################################
########
# our HTTP proxy port
http_port 10.46.11.69:8080
# loopback management
http_port 127.0.0.1:3128
icp_port 0
forwarded_for off
######################################################################
########
# Network timeout settings
######################################################################
########
connect_timeout 30 seconds
peer_connect_timeout 20 seconds
read_timeout 2 minutes
request_timeout 2 minutes
persistent_request_timeout 30 seconds
######################################################################
########
# Configuration of the local cache itself
######################################################################
########
cache_dir ufs /var/spool/squid/ 10000 16 256
coredump_dir /var/spool/squid/
cache_replacement_policy heap LFUDA
memory_replacement_policy lru
cache_mem 256 MB
maximum_object_size 32 MB
maximum_object_size_in_memory 512 KB
quick_abort_min 16 KB
quick_abort_max 1 MB
quick_abort_pct 90
range_offset_limit 64 KB
######################################################################
########
# Cache control
######################################################################
########
acl no_cache_url url_regex -i "/etc/squid/no_cache_url"
cache deny no_cache_url
######################################################################
########
# Authentication
######################################################################
########
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
-k /etc/squid/HTTP.keytab -s
HTTP/<domain>.ad.<domain>.com@AD.<domain>.COM
auth_param negotiate children 10
auth_param negotiate keep_alive on
acl kerb-auth proxy_auth REQUIRED
http_access allow kerb-auth
######################################################################
########
# Access control - shared/common ACL definitions
######################################################################
########
# acl all src all
acl src_self src 127.0.0.0/8
acl src_self src 10.46.11.69
acl dst_self dst 127.0.0.0/8
acl dst_self dst 10.46.11.69
acl from_arc src 10.46.0.0/15
acl local_dst_addr dst 10.0.0.0/8
acl local_dst_addr dst bldg3.<domain>.com
acl local_dst_addr dst bldg5.<domain>.com
acl local_dst_dom dstdomain <domain>
acl proto_FTP proto FTP
acl proto_HTTP proto HTTP
acl localnet src 10.46.49.0/24
acl localnet src 10.47.49.0/24
acl http_ports port 80
acl http_ports port 81
acl http_ports port 8001
acl http_ports port 8080
acl Ssl_ports port 443
acl Ssl_ports port 9571
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl ssh_ports port 22
acl ftp_ports port 21
http_access deny !Safe_ports
acl method_CONNECT method CONNECT
dsacl methods_std method GET HEAD POST PUT DELETE
acl methods_std method TRACE OPTIONS
######################################################################
########
# Access control - maintenance
######################################################################
########
acl purge method PURGE
http_access allow purge src_self
http_access deny purge
acl cache_manager proto cache_object
cachemgr_passwd disabled shutdown offline_toggle
cachemgr_passwd none all
http_access allow cache_manager src_self
http_access deny cache_manager
######################################################################
#######
# Access control - general proxy
######################################################################
########
http_access deny dst_self
http_access deny src_self
http_access deny !from_arc
http_access allow local_dst_dom
http_reply_access allow local_dst_dom
http_access allow local_dst_addr
http_reply_access allow local_dst_addr
acl authless_src src "/etc/squid/authless_src"
http_access allow authless_src
http_reply_access allow authless_src
acl authless_dst dstdomain "/etc/squid/authless_dst"
http_access allow authless_dst
http_reply_access allow authless_dst
acl bad_domains_preauth dstdomain "/etc/squid/bad_domains_preauth"
http_access deny bad_domains_preauth
acl block_user proxy_auth_regex -i "/etc/squid/block_user"
http_access deny block_user
acl bad_exception_urls url_regex -i "/etc/squid/bad_exception_urls"
acl exec_files url_regex -i "/etc/squid/exec_files"
acl exec_users proxy_auth_regex -i "/etc/squid/exec_users"
http_access deny !bad_exception_urls !exec_users exec_files
deny_info ERR_BLOCK_TYPE exec_files
acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users"
acl mmedia_sites dstdomain "/etc/squid/mmedia_sites"
http_access allow methods_std proto_HTTP http_ports
mmedia_sites mmedia_users
http_reply_access allow methods_std proto_HTTP http_ports
mmedia_sites mmedia_users
http_access allow method_CONNECT ssl_ports
mmedia_sites mmedia_users
http_reply_access allow method_CONNECT ssl_ports
mmedia_sites mmedia_users
acl bad_domains dstdomain "/etc/squid/bad_domains"
http_access deny !bad_exception_urls bad_domains
deny_info ERR_BLOCK_DST bad_domains
acl bad_domains_regex dstdom_regex -i "/etc/squid/bad_domains_regex"
http_access deny !bad_exception_urls bad_domains_regex
deny_info ERR_BLOCK_DST bad_domains_regex
acl bad_urls url_regex -i "/etc/squid/bad_urls"
http_access deny !bad_exception_urls bad_urls
deny_info ERR_BLOCK_DST bad_urls
acl bad_files urlpath_regex -i "/etc/squid/bad_files"
http_access deny !bad_exception_urls bad_files
deny_info ERR_BLOCK_TYPE bad_files
acl bad_types rep_mime_type -i "/etc/squid/bad_types"
http_reply_access deny bad_types !bad_exception_urls
deny_info ERR_BLOCK_TYPE bad_types
acl fsoguest_user proxy_auth_regex -i fsoguest
acl fsoguest_dst dstdomain .opm.gov
acl fsoguest_dst dstdomain .google-analytics.com
acl fsoguest_dst dstdomain pki.google.com
acl fsoguest_dst dstdomain ajax.googleapis.com
acl fsoguest_dst dstdomain fonts.googleapis.com
acl fsoguest_dst dstdomain html5shiv.googlecode.com
acl fsoguest_dst dstdomain fonts.gstatic.com
acl fsoguest_dst dstdomain clients1.google.com
acl fsoguest_dst dstdomain ajax.microsoft.com
acl fsoguest_dst dstdomain ajax.aspnetcdn.com
acl fsoguest_dst dstdomain .geotrust.com
acl fsoguest_dst dstdomain .akamaihd.net
acl fsoguest_dst dstdomain symcd.com
http_access allow methods_std proto_HTTP http_ports fsoguest_dst
fsoguest_user
http_access allow method_CONNECT ssl_ports fsoguest_dst
fsoguest_user
http_access deny fsoguest_user
http_access allow http_ports proto_HTTP methods_std
http_access allow method_CONNECT ssl_ports
http_access deny method_CONNECT
http_access allow ftp_ports proto_FTP
http_access deny all
http_reply_access allow all
######################################################################
########
# END OF FILE
######################################################################
########
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://list/
s.squid-cache.org%2Flistinfo%2Fsquid-users&data=05%7C02%7Cjosh.piana%4
0hexcel.com%7C5d5a04837ae140f50c6908dcc0699c20%7C4248050df19546d5ac9c0
c7c52b04cae%7C0%7C0%7C638596807060587199%7CUnknown%7CTWFpbGZsb3d8eyJWI
joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7
C%7C&sdata=pFmtS4HPHBRLFvcthpxiXT8mgF7mmpsGfQYF1wlivJo%3D&reserved=0
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
