Solved

Squid ACL allowing anonymous commections

Posted on 2009-07-07
4
341 Views
Last Modified: 2013-12-13
Hello,

I installed squid and squish with authentication, however, it is allowing anonymous commections.

Any ideas?

Thanks!

Drew
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 
 
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
 
 
### added by squish (begin)
# acl's for squish - autodetected, sometimes
acl SQUISHLOC dst http://www.www.com
acl SQUISHED1 proxy_auth -i "/etc/squid/squished"
acl password proxy_auth REQUIRED
acl SQUISHED2 ident    "/etc/squid/squished"
acl SQUISHED3 src        "/etc/squid/squished"
 
# Error info that says you're squished
deny_info http://www.www.com SQUISHED1
deny_info http://www.www.com SQUISHED2
deny_info http://www.www.com SQUISHED3
 
# HTTP access controls for squish
http_access allow SQUISHLOC
http_access allow password !SQUISHED1
http_access deny SQUISHED1
http_access deny SQUISHED2
http_access deny SQUISHED3
### added by squish (end)
 
#http_access deny !ncsa_users
 
 
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
 
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

Open in new window

0
Comment
Question by:drew17
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 24803517
Could you post the  results of grep 'authenticat' squid.conf

What program provides the external Auth?
What happens if you uncomment the deny rule for ncsa_users?
http_access deny !ncsa_users

0
 

Author Comment

by:drew17
ID: 24806245
Hello arnoid,

When I execute grep 'authenticat' squid.conf I get the snippet below.

I am using basic ncsa authentication

When I uncomment 'http_access deny !ncsa_users' I get the same result.

Thanks!

Drew
#				connection oriented authentication
#		     proxy and your parent requires proxy authentication.
#		     use 'login=PASS' to forward authentication to the peer.
#		     Note: To combine this with local authentication the Basic
#		     authentication scheme must be used, and both servers must
#		     not support Microsoft connection oriented authentication,
#	This is used to define parameters for the various authentication
#	The order in which authentication schemes are presented to the client is
#	Once an authentication scheme is fully configured, it can only be
#	authentication it does not automatically activate authentication.
#	To use authentication you must in addition make use of ACLs based
#	challenged for authentication on the first such acl encountered
#	WARNING: authentication can't be used in a transparently intercepting
#	Specify the command for the external authenticator.  Such a program
#	By default, the basic authentication scheme is not used unless a
#	If you want to use the traditional proxy authentication, jump over to
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	the basic proxy authentication scheme (part of the text the user
#	as there is multiple authentication backends which handles blank
#	Specify the command for the external authenticator.  Such a program
#	By default, the digest authentication scheme is not used unless a
#	If you want to use a digest authenticator, jump over to the
#	helpers/digest_auth/ directory and choose the authenticator to use.
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	digest proxy authentication scheme (part of the text the user will see
#	protect from authentication replay attacks.
#	Specify the command for the external NTLM authenticator. Such a
#	authenticator is ntlm_auth from Samba-3.X, but a number of other
#	ntlm authenticators is available.
#	By default, the ntlm authentication scheme is not used unless a
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	authentication request. It has been reported some versions of MSIE
#	Specify the command for the external Negotiate authenticator. Such a
#	authenticator is ntlm_auth from Samba-4.X.
#	By default, the Negotiate authentication scheme is not used unless a
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	Negotiate authentication scheme then you can try setting this to
#  TAG: authenticate_cache_garbage_interval
# authenticate_cache_garbage_interval 1 hour
#  TAG: authenticate_ttl
# authenticate_ttl 1 hour
#  TAG: authenticate_ip_ttl
#	If you use proxy authentication and the 'max_user_ip' ACL, this
# authenticate_ip_ttl 0 seconds
#	  # NOTE: proxy_auth requires a EXTERNAL authentication program
#	  # collides with any authentication done by origin servers. It may
#	  # than <number> different ip addresses. The authenticate_ip_ttl
#		authenticator
#	MD5 service authentication can be enabled by adding

Open in new window

0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 24807323
You have proxy_auth set, but do you have anexternal program that will be used to check whether the user should be allowed through.

Which auth_ option are you using in the configuration?

Check the squid access log to see why it allows.
Increasing the debug level could provide additional information/clues to what is going on.
0
 

Author Closing Comment

by:drew17
ID: 31600896
It was just the order of the acl lines in my squid.conf file
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
bitlocker admin and monitoring 2 41
Bitcoin mining - Is it possible? 6 91
PCAP file format 4 31
Why is my select returning NaN 21 35
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question