Solved

Squid ACL allowing anonymous commections

Posted on 2009-07-07
4
339 Views
Last Modified: 2013-12-13
Hello,

I installed squid and squish with authentication, however, it is allowing anonymous commections.

Any ideas?

Thanks!

Drew
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 
 
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
 
 
### added by squish (begin)
# acl's for squish - autodetected, sometimes
acl SQUISHLOC dst http://www.www.com
acl SQUISHED1 proxy_auth -i "/etc/squid/squished"
acl password proxy_auth REQUIRED
acl SQUISHED2 ident    "/etc/squid/squished"
acl SQUISHED3 src        "/etc/squid/squished"
 
# Error info that says you're squished
deny_info http://www.www.com SQUISHED1
deny_info http://www.www.com SQUISHED2
deny_info http://www.www.com SQUISHED3
 
# HTTP access controls for squish
http_access allow SQUISHLOC
http_access allow password !SQUISHED1
http_access deny SQUISHED1
http_access deny SQUISHED2
http_access deny SQUISHED3
### added by squish (end)
 
#http_access deny !ncsa_users
 
 
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
 
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

Open in new window

0
Comment
Question by:drew17
  • 2
  • 2
4 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 24803517
Could you post the  results of grep 'authenticat' squid.conf

What program provides the external Auth?
What happens if you uncomment the deny rule for ncsa_users?
http_access deny !ncsa_users

0
 

Author Comment

by:drew17
ID: 24806245
Hello arnoid,

When I execute grep 'authenticat' squid.conf I get the snippet below.

I am using basic ncsa authentication

When I uncomment 'http_access deny !ncsa_users' I get the same result.

Thanks!

Drew
#				connection oriented authentication
#		     proxy and your parent requires proxy authentication.
#		     use 'login=PASS' to forward authentication to the peer.
#		     Note: To combine this with local authentication the Basic
#		     authentication scheme must be used, and both servers must
#		     not support Microsoft connection oriented authentication,
#	This is used to define parameters for the various authentication
#	The order in which authentication schemes are presented to the client is
#	Once an authentication scheme is fully configured, it can only be
#	authentication it does not automatically activate authentication.
#	To use authentication you must in addition make use of ACLs based
#	challenged for authentication on the first such acl encountered
#	WARNING: authentication can't be used in a transparently intercepting
#	Specify the command for the external authenticator.  Such a program
#	By default, the basic authentication scheme is not used unless a
#	If you want to use the traditional proxy authentication, jump over to
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	the basic proxy authentication scheme (part of the text the user
#	as there is multiple authentication backends which handles blank
#	Specify the command for the external authenticator.  Such a program
#	By default, the digest authentication scheme is not used unless a
#	If you want to use a digest authenticator, jump over to the
#	helpers/digest_auth/ directory and choose the authenticator to use.
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	digest proxy authentication scheme (part of the text the user will see
#	protect from authentication replay attacks.
#	Specify the command for the external NTLM authenticator. Such a
#	authenticator is ntlm_auth from Samba-3.X, but a number of other
#	ntlm authenticators is available.
#	By default, the ntlm authentication scheme is not used unless a
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	authentication request. It has been reported some versions of MSIE
#	Specify the command for the external Negotiate authenticator. Such a
#	authenticator is ntlm_auth from Samba-4.X.
#	By default, the Negotiate authentication scheme is not used unless a
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	Negotiate authentication scheme then you can try setting this to
#  TAG: authenticate_cache_garbage_interval
# authenticate_cache_garbage_interval 1 hour
#  TAG: authenticate_ttl
# authenticate_ttl 1 hour
#  TAG: authenticate_ip_ttl
#	If you use proxy authentication and the 'max_user_ip' ACL, this
# authenticate_ip_ttl 0 seconds
#	  # NOTE: proxy_auth requires a EXTERNAL authentication program
#	  # collides with any authentication done by origin servers. It may
#	  # than <number> different ip addresses. The authenticate_ip_ttl
#		authenticator
#	MD5 service authentication can be enabled by adding

Open in new window

0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 24807323
You have proxy_auth set, but do you have anexternal program that will be used to check whether the user should be allowed through.

Which auth_ option are you using in the configuration?

Check the squid access log to see why it allows.
Increasing the debug level could provide additional information/clues to what is going on.
0
 

Author Closing Comment

by:drew17
ID: 31600896
It was just the order of the acl lines in my squid.conf file
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
site - site VPN 3 35
Eset Smart Securties ARP poisoning attack 3 42
How do use '  ' within this code? 4 24
Linux 3 32
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question