Hello, I just reviewed all the steps for authentication Kerberos again. I'm unable to pinpoint any issues at all with the configuration from the keytab file, to the krb5.conf file, to the parameters used in the squid.conf file. And yet, I am surely bypassing the authentication entirely. Is there anyone who could help me with this? -----Original Message----- From: Piana, Josh Sent: Tuesday, November 12, 2024 10:43 AM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: RE: Access Log Question Yeah, we have a few. I'll try to detail them below, I apologize for any formatting weirdness. auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/HTTP.keytab -s HTTP/arcgate2.ad.arc-tech.com@xxxxxxxxxxxxxxx auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param basic credentialsttl 2 hours auth_param basic realm ArcTech Proxy Server acl localhost src 10.46.11.69 acl localhost src 127.0.0.0/8 acl localnet dst 10.0.0.0/8 acl localnet dst 172.0.0.0/8 acl localnet dst bldg3.arc-tech.com. acl localnet dst bldg5.arc-tech.com. acl SSL_ports port 443 acl SSL_ports port 5001 acl SSL_ports port 4434 acl SSL_ports port 9251 acl Safe_ports port 21 acl Safe_ports port 22 acl Safe_ports port 80 acl Safe_ports port 443 acl Safe_ports port 8080 acl Safe_ports port 8443 acl Safe_ports port 1025-65535 acl kerb-auth proxy_auth REQUIRED acl CONNECT method CONNECT acl local_dst_dom dstdomain arcgate2 http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow local_dst_dom http_access allow localnet acl bad_domains_preauth dstdomain "/etc/squid/bad_domains_preauth" http_access deny bad_domains_preauth #acl block_user proxy_auth_regex -i "/etc/squid/block_user" #http_access deny block_user acl bad_exception_urls url_regex -i "/etc/squid/bad_exception_urls" http_access allow !bad_exception_urls acl exec_files url_regex -i "/etc/squid/exec_files" #acl exec_users proxy_auth_regex -i "/etc/squid/exec_users" http_access deny !bad_exception_urls exec_files deny_info ERR_BLOCK_TYPE exec_files #acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users" acl mmedia_sites dstdomain "/etc/squid/mmedia_sites" http_access allow CONNECT safe_ports SSL_ports mmedia_sites acl bad_domains dstdomain "/etc/squid/bad_domains" http_access deny !bad_exception_urls bad_domains deny_info ERR_BLOCK_DST bad_domains acl bad_domains_regex dstdom_regex -i "/etc/squid/bad_domains_regex" http_access deny !bad_exception_urls bad_domains_regex deny_info ERR_BLOCK_DST bad_domains_regex acl bad_urls url_regex -i "/etc/squid/bad_urls" http_access deny !bad_exception_urls bad_urls deny_info ERR_BLOCK_DST bad_urls acl bad_files urlpath_regex -i "/etc/squid/bad_files" http_access deny !bad_exception_urls bad_files deny_info ERR_BLOCK_TYPE bad_files http_access allow Safe_ports http_access allow SSL_ports http_access deny !kerb-auth http_access allow kerb-auth http_access deny all -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Matus UHLAR - fantomas Sent: Tuesday, November 12, 2024 10:30 AM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Access Log Question Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe. On 12.11.24 15:22, Piana, Josh wrote: >I seem to be able to generate tickets by checking klist, and using kinit to authenticate my username with AD. But it looks like the proxy is ignoring it. This could explain why all my proxy_auth ACL's stopped working too. > > >Here's my authentication settings: >auth_param negotiate children 10 >auth_param negotiate keep_alive on >auth_param basic credentialsttl 2 hours auth_param basic realm ><redacted> Proxy Server > >acl kerb-auth proxy_auth REQUIRED > >The bottom of my ACL Rules looks like this: >http_access deny !kerb-auth >http_access allow kerb-auth >http_access deny all The bottom? Are there any ACL rules that allow clients' access before this? Because ACL rules are processed in the order they are specified. >-----Original Message----- >From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf >Of Matus UHLAR - fantomas >Sent: Tuesday, November 12, 2024 10:19 AM >To: squid-users@xxxxxxxxxxxxxxxxxxxxx >Subject: Re: Access Log Question > >Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe. > > >On 12.11.24 15:16, Piana, Josh wrote: >>Seems like it. >> >>Example: >> >>12/Nov/2024:09:51:37 -0500.396 10.46.49.135 TCP_TUNNEL/200 23735 >>CONNECT >>http://www.s/ >>a%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7C781d9733572443bebebd08dd >>032ef2d6%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C6386702223804901 >>51%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCI >>sIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=J >>D5bPnmHAzYiBf0GEibkaOIItE5n7G5wQaTzYent9K4%3D&reserved=0 >>fgard.com%3A443%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7C1dd5a668cf >>f >>64041506f08dd032d47f6%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C638 >>6 >>70215221064884%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiI >>w >>LjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C >>% >>7C&sdata=gmzUs90%2Bccg4xxW8WHB2R4Tyb66r1tfKPdsQL2mHmUE%3D&reserved=0 - >>\ HIER_DIRECT/206.188.0.52 - -/- > >yes, this looks like the username is not known to squid, thus probably bypassed authentication. >what type of proxy authentication you use? > >>-----Original Message----- >>From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On >>Behalf Of Matus UHLAR - fantomas >>Sent: Tuesday, November 12, 2024 10:10 AM >>To: squid-users@xxxxxxxxxxxxxxxxxxxxx >>Subject: Re: Access Log Question >> >>Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe. >> >> >>On 12.11.24 14:56, Piana, Josh wrote: >>> At some point, the access log has stopped recording which users are >>> trying to access which sites. >>> >>> I'm currently thinking is could be an issue with log format, Squid >>> not being able to receive the header information, or authentication >>> is being bypassed completely due to our config, for some reason. >> >>what is it logging? doest is log "-" instead of usernames? -- Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar] _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users