Solved

Squid ACL allowing anonymous commections

Posted on 2009-07-07
4
334 Views
Last Modified: 2013-12-13
Hello,

I installed squid and squish with authentication, however, it is allowing anonymous commections.

Any ideas?

Thanks!

Drew
#Recommended minimum configuration:

#

# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager

# Deny requests to unknown ports

http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports

http_access allow CONNECT !SSL_ports

#

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 
 

acl ncsa_users proxy_auth REQUIRED

http_access allow ncsa_users
 
 

### added by squish (begin)

# acl's for squish - autodetected, sometimes

acl SQUISHLOC dst http://www.www.com

acl SQUISHED1 proxy_auth -i "/etc/squid/squished"

acl password proxy_auth REQUIRED

acl SQUISHED2 ident    "/etc/squid/squished"

acl SQUISHED3 src        "/etc/squid/squished"
 

# Error info that says you're squished

deny_info http://www.www.com SQUISHED1

deny_info http://www.www.com SQUISHED2

deny_info http://www.www.com SQUISHED3

 

# HTTP access controls for squish

http_access allow SQUISHLOC

http_access allow password !SQUISHED1

http_access deny SQUISHED1

http_access deny SQUISHED2

http_access deny SQUISHED3

### added by squish (end)
 

#http_access deny !ncsa_users

 
 

# Example rule allowing access from your local networks. Adapt

# to list your (internal) IP networks from where browsing should

# be allowed
 

# And finally deny all other access to this proxy

http_access allow localhost

http_access deny all

Open in new window

0
Comment
Question by:drew17
  • 2
  • 2
4 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 24803517
Could you post the  results of grep 'authenticat' squid.conf

What program provides the external Auth?
What happens if you uncomment the deny rule for ncsa_users?
http_access deny !ncsa_users

0
 

Author Comment

by:drew17
ID: 24806245
Hello arnoid,

When I execute grep 'authenticat' squid.conf I get the snippet below.

I am using basic ncsa authentication

When I uncomment 'http_access deny !ncsa_users' I get the same result.

Thanks!

Drew
#				connection oriented authentication

#		     proxy and your parent requires proxy authentication.

#		     use 'login=PASS' to forward authentication to the peer.

#		     Note: To combine this with local authentication the Basic

#		     authentication scheme must be used, and both servers must

#		     not support Microsoft connection oriented authentication,

#	This is used to define parameters for the various authentication

#	The order in which authentication schemes are presented to the client is

#	Once an authentication scheme is fully configured, it can only be

#	authentication it does not automatically activate authentication.

#	To use authentication you must in addition make use of ACLs based

#	challenged for authentication on the first such acl encountered

#	WARNING: authentication can't be used in a transparently intercepting

#	Specify the command for the external authenticator.  Such a program

#	By default, the basic authentication scheme is not used unless a

#	If you want to use the traditional proxy authentication, jump over to

#	The number of authenticator processes to spawn. If you start too few 

#	authenticator processes.

#	the basic proxy authentication scheme (part of the text the user

#	as there is multiple authentication backends which handles blank

#	Specify the command for the external authenticator.  Such a program

#	By default, the digest authentication scheme is not used unless a

#	If you want to use a digest authenticator, jump over to the

#	helpers/digest_auth/ directory and choose the authenticator to use.

#	The number of authenticator processes to spawn. If you start too few 

#	authenticator processes.

#	digest proxy authentication scheme (part of the text the user will see

#	protect from authentication replay attacks.

#	Specify the command for the external NTLM authenticator. Such a

#	authenticator is ntlm_auth from Samba-3.X, but a number of other

#	ntlm authenticators is available.

#	By default, the ntlm authentication scheme is not used unless a

#	The number of authenticator processes to spawn. If you start too few 

#	authenticator processes.

#	authentication request. It has been reported some versions of MSIE

#	Specify the command for the external Negotiate authenticator. Such a

#	authenticator is ntlm_auth from Samba-4.X.

#	By default, the Negotiate authentication scheme is not used unless a

#	The number of authenticator processes to spawn. If you start too few 

#	authenticator processes.

#	Negotiate authentication scheme then you can try setting this to

#  TAG: authenticate_cache_garbage_interval

# authenticate_cache_garbage_interval 1 hour

#  TAG: authenticate_ttl

# authenticate_ttl 1 hour

#  TAG: authenticate_ip_ttl

#	If you use proxy authentication and the 'max_user_ip' ACL, this

# authenticate_ip_ttl 0 seconds

#	  # NOTE: proxy_auth requires a EXTERNAL authentication program

#	  # collides with any authentication done by origin servers. It may

#	  # than <number> different ip addresses. The authenticate_ip_ttl

#		authenticator

#	MD5 service authentication can be enabled by adding

Open in new window

0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 24807323
You have proxy_auth set, but do you have anexternal program that will be used to check whether the user should be allowed through.

Which auth_ option are you using in the configuration?

Check the squid access log to see why it allows.
Increasing the debug level could provide additional information/clues to what is going on.
0
 

Author Closing Comment

by:drew17
ID: 31600896
It was just the order of the acl lines in my squid.conf file
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Fine Tune your automatic Updates for Ubuntu / Debian
The viewer will learn how to count occurrences of each item in an array.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now