Solved

Squid ACL allowing anonymous commections

Posted on 2009-07-07
4
335 Views
Last Modified: 2013-12-13
Hello,

I installed squid and squish with authentication, however, it is allowing anonymous commections.

Any ideas?

Thanks!

Drew
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 
 
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
 
 
### added by squish (begin)
# acl's for squish - autodetected, sometimes
acl SQUISHLOC dst http://www.www.com
acl SQUISHED1 proxy_auth -i "/etc/squid/squished"
acl password proxy_auth REQUIRED
acl SQUISHED2 ident    "/etc/squid/squished"
acl SQUISHED3 src        "/etc/squid/squished"
 
# Error info that says you're squished
deny_info http://www.www.com SQUISHED1
deny_info http://www.www.com SQUISHED2
deny_info http://www.www.com SQUISHED3
 
# HTTP access controls for squish
http_access allow SQUISHLOC
http_access allow password !SQUISHED1
http_access deny SQUISHED1
http_access deny SQUISHED2
http_access deny SQUISHED3
### added by squish (end)
 
#http_access deny !ncsa_users
 
 
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
 
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

Open in new window

0
Comment
Question by:drew17
  • 2
  • 2
4 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 24803517
Could you post the  results of grep 'authenticat' squid.conf

What program provides the external Auth?
What happens if you uncomment the deny rule for ncsa_users?
http_access deny !ncsa_users

0
 

Author Comment

by:drew17
ID: 24806245
Hello arnoid,

When I execute grep 'authenticat' squid.conf I get the snippet below.

I am using basic ncsa authentication

When I uncomment 'http_access deny !ncsa_users' I get the same result.

Thanks!

Drew
#				connection oriented authentication
#		     proxy and your parent requires proxy authentication.
#		     use 'login=PASS' to forward authentication to the peer.
#		     Note: To combine this with local authentication the Basic
#		     authentication scheme must be used, and both servers must
#		     not support Microsoft connection oriented authentication,
#	This is used to define parameters for the various authentication
#	The order in which authentication schemes are presented to the client is
#	Once an authentication scheme is fully configured, it can only be
#	authentication it does not automatically activate authentication.
#	To use authentication you must in addition make use of ACLs based
#	challenged for authentication on the first such acl encountered
#	WARNING: authentication can't be used in a transparently intercepting
#	Specify the command for the external authenticator.  Such a program
#	By default, the basic authentication scheme is not used unless a
#	If you want to use the traditional proxy authentication, jump over to
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	the basic proxy authentication scheme (part of the text the user
#	as there is multiple authentication backends which handles blank
#	Specify the command for the external authenticator.  Such a program
#	By default, the digest authentication scheme is not used unless a
#	If you want to use a digest authenticator, jump over to the
#	helpers/digest_auth/ directory and choose the authenticator to use.
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	digest proxy authentication scheme (part of the text the user will see
#	protect from authentication replay attacks.
#	Specify the command for the external NTLM authenticator. Such a
#	authenticator is ntlm_auth from Samba-3.X, but a number of other
#	ntlm authenticators is available.
#	By default, the ntlm authentication scheme is not used unless a
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	authentication request. It has been reported some versions of MSIE
#	Specify the command for the external Negotiate authenticator. Such a
#	authenticator is ntlm_auth from Samba-4.X.
#	By default, the Negotiate authentication scheme is not used unless a
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	Negotiate authentication scheme then you can try setting this to
#  TAG: authenticate_cache_garbage_interval
# authenticate_cache_garbage_interval 1 hour
#  TAG: authenticate_ttl
# authenticate_ttl 1 hour
#  TAG: authenticate_ip_ttl
#	If you use proxy authentication and the 'max_user_ip' ACL, this
# authenticate_ip_ttl 0 seconds
#	  # NOTE: proxy_auth requires a EXTERNAL authentication program
#	  # collides with any authentication done by origin servers. It may
#	  # than <number> different ip addresses. The authenticate_ip_ttl
#		authenticator
#	MD5 service authentication can be enabled by adding

Open in new window

0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 24807323
You have proxy_auth set, but do you have anexternal program that will be used to check whether the user should be allowed through.

Which auth_ option are you using in the configuration?

Check the squid access log to see why it allows.
Increasing the debug level could provide additional information/clues to what is going on.
0
 

Author Closing Comment

by:drew17
ID: 31600896
It was just the order of the acl lines in my squid.conf file
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setting up a VPN 60 145
winscp 000webhost.com 6 54
Cisco 3650 switch 7 36
Powerline adapter slow Mbps? 38 127
This article discusses how to create an extensible mechanism for linked drop downs.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
The viewer will learn how to dynamically set the form action using jQuery.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question