Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Squid ACL allowing anonymous commections

Posted on 2009-07-07
4
Medium Priority
?
347 Views
Last Modified: 2013-12-13
Hello,

I installed squid and squish with authentication, however, it is allowing anonymous commections.

Any ideas?

Thanks!

Drew
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 
 
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
 
 
### added by squish (begin)
# acl's for squish - autodetected, sometimes
acl SQUISHLOC dst http://www.www.com
acl SQUISHED1 proxy_auth -i "/etc/squid/squished"
acl password proxy_auth REQUIRED
acl SQUISHED2 ident    "/etc/squid/squished"
acl SQUISHED3 src        "/etc/squid/squished"
 
# Error info that says you're squished
deny_info http://www.www.com SQUISHED1
deny_info http://www.www.com SQUISHED2
deny_info http://www.www.com SQUISHED3
 
# HTTP access controls for squish
http_access allow SQUISHLOC
http_access allow password !SQUISHED1
http_access deny SQUISHED1
http_access deny SQUISHED2
http_access deny SQUISHED3
### added by squish (end)
 
#http_access deny !ncsa_users
 
 
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
 
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

Open in new window

0
Comment
Question by:drew17
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 80

Expert Comment

by:arnold
ID: 24803517
Could you post the  results of grep 'authenticat' squid.conf

What program provides the external Auth?
What happens if you uncomment the deny rule for ncsa_users?
http_access deny !ncsa_users

0
 

Author Comment

by:drew17
ID: 24806245
Hello arnoid,

When I execute grep 'authenticat' squid.conf I get the snippet below.

I am using basic ncsa authentication

When I uncomment 'http_access deny !ncsa_users' I get the same result.

Thanks!

Drew
#				connection oriented authentication
#		     proxy and your parent requires proxy authentication.
#		     use 'login=PASS' to forward authentication to the peer.
#		     Note: To combine this with local authentication the Basic
#		     authentication scheme must be used, and both servers must
#		     not support Microsoft connection oriented authentication,
#	This is used to define parameters for the various authentication
#	The order in which authentication schemes are presented to the client is
#	Once an authentication scheme is fully configured, it can only be
#	authentication it does not automatically activate authentication.
#	To use authentication you must in addition make use of ACLs based
#	challenged for authentication on the first such acl encountered
#	WARNING: authentication can't be used in a transparently intercepting
#	Specify the command for the external authenticator.  Such a program
#	By default, the basic authentication scheme is not used unless a
#	If you want to use the traditional proxy authentication, jump over to
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	the basic proxy authentication scheme (part of the text the user
#	as there is multiple authentication backends which handles blank
#	Specify the command for the external authenticator.  Such a program
#	By default, the digest authentication scheme is not used unless a
#	If you want to use a digest authenticator, jump over to the
#	helpers/digest_auth/ directory and choose the authenticator to use.
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	digest proxy authentication scheme (part of the text the user will see
#	protect from authentication replay attacks.
#	Specify the command for the external NTLM authenticator. Such a
#	authenticator is ntlm_auth from Samba-3.X, but a number of other
#	ntlm authenticators is available.
#	By default, the ntlm authentication scheme is not used unless a
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	authentication request. It has been reported some versions of MSIE
#	Specify the command for the external Negotiate authenticator. Such a
#	authenticator is ntlm_auth from Samba-4.X.
#	By default, the Negotiate authentication scheme is not used unless a
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	Negotiate authentication scheme then you can try setting this to
#  TAG: authenticate_cache_garbage_interval
# authenticate_cache_garbage_interval 1 hour
#  TAG: authenticate_ttl
# authenticate_ttl 1 hour
#  TAG: authenticate_ip_ttl
#	If you use proxy authentication and the 'max_user_ip' ACL, this
# authenticate_ip_ttl 0 seconds
#	  # NOTE: proxy_auth requires a EXTERNAL authentication program
#	  # collides with any authentication done by origin servers. It may
#	  # than <number> different ip addresses. The authenticate_ip_ttl
#		authenticator
#	MD5 service authentication can be enabled by adding

Open in new window

0
 
LVL 80

Accepted Solution

by:
arnold earned 1500 total points
ID: 24807323
You have proxy_auth set, but do you have anexternal program that will be used to check whether the user should be allowed through.

Which auth_ option are you using in the configuration?

Check the squid access log to see why it allows.
Increasing the debug level could provide additional information/clues to what is going on.
0
 

Author Closing Comment

by:drew17
ID: 31600896
It was just the order of the acl lines in my squid.conf file
0

Featured Post

Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question