Solved

Squid ACL allowing anonymous commections

Posted on 2009-07-07
4
333 Views
Last Modified: 2013-12-13
Hello,

I installed squid and squish with authentication, however, it is allowing anonymous commections.

Any ideas?

Thanks!

Drew
#Recommended minimum configuration:

#

# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager

# Deny requests to unknown ports

http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports

http_access allow CONNECT !SSL_ports

#

# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 
 

acl ncsa_users proxy_auth REQUIRED

http_access allow ncsa_users
 
 

### added by squish (begin)

# acl's for squish - autodetected, sometimes

acl SQUISHLOC dst http://www.www.com

acl SQUISHED1 proxy_auth -i "/etc/squid/squished"

acl password proxy_auth REQUIRED

acl SQUISHED2 ident    "/etc/squid/squished"

acl SQUISHED3 src        "/etc/squid/squished"
 

# Error info that says you're squished

deny_info http://www.www.com SQUISHED1

deny_info http://www.www.com SQUISHED2

deny_info http://www.www.com SQUISHED3

 

# HTTP access controls for squish

http_access allow SQUISHLOC

http_access allow password !SQUISHED1

http_access deny SQUISHED1

http_access deny SQUISHED2

http_access deny SQUISHED3

### added by squish (end)
 

#http_access deny !ncsa_users

 
 

# Example rule allowing access from your local networks. Adapt

# to list your (internal) IP networks from where browsing should

# be allowed
 

# And finally deny all other access to this proxy

http_access allow localhost

http_access deny all

Open in new window

0
Comment
Question by:drew17
  • 2
  • 2
4 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 24803517
Could you post the  results of grep 'authenticat' squid.conf

What program provides the external Auth?
What happens if you uncomment the deny rule for ncsa_users?
http_access deny !ncsa_users

0
 

Author Comment

by:drew17
ID: 24806245
Hello arnoid,

When I execute grep 'authenticat' squid.conf I get the snippet below.

I am using basic ncsa authentication

When I uncomment 'http_access deny !ncsa_users' I get the same result.

Thanks!

Drew
#				connection oriented authentication

#		     proxy and your parent requires proxy authentication.

#		     use 'login=PASS' to forward authentication to the peer.

#		     Note: To combine this with local authentication the Basic

#		     authentication scheme must be used, and both servers must

#		     not support Microsoft connection oriented authentication,

#	This is used to define parameters for the various authentication

#	The order in which authentication schemes are presented to the client is

#	Once an authentication scheme is fully configured, it can only be

#	authentication it does not automatically activate authentication.

#	To use authentication you must in addition make use of ACLs based

#	challenged for authentication on the first such acl encountered

#	WARNING: authentication can't be used in a transparently intercepting

#	Specify the command for the external authenticator.  Such a program

#	By default, the basic authentication scheme is not used unless a

#	If you want to use the traditional proxy authentication, jump over to

#	The number of authenticator processes to spawn. If you start too few 

#	authenticator processes.

#	the basic proxy authentication scheme (part of the text the user

#	as there is multiple authentication backends which handles blank

#	Specify the command for the external authenticator.  Such a program

#	By default, the digest authentication scheme is not used unless a

#	If you want to use a digest authenticator, jump over to the

#	helpers/digest_auth/ directory and choose the authenticator to use.

#	The number of authenticator processes to spawn. If you start too few 

#	authenticator processes.

#	digest proxy authentication scheme (part of the text the user will see

#	protect from authentication replay attacks.

#	Specify the command for the external NTLM authenticator. Such a

#	authenticator is ntlm_auth from Samba-3.X, but a number of other

#	ntlm authenticators is available.

#	By default, the ntlm authentication scheme is not used unless a

#	The number of authenticator processes to spawn. If you start too few 

#	authenticator processes.

#	authentication request. It has been reported some versions of MSIE

#	Specify the command for the external Negotiate authenticator. Such a

#	authenticator is ntlm_auth from Samba-4.X.

#	By default, the Negotiate authentication scheme is not used unless a

#	The number of authenticator processes to spawn. If you start too few 

#	authenticator processes.

#	Negotiate authentication scheme then you can try setting this to

#  TAG: authenticate_cache_garbage_interval

# authenticate_cache_garbage_interval 1 hour

#  TAG: authenticate_ttl

# authenticate_ttl 1 hour

#  TAG: authenticate_ip_ttl

#	If you use proxy authentication and the 'max_user_ip' ACL, this

# authenticate_ip_ttl 0 seconds

#	  # NOTE: proxy_auth requires a EXTERNAL authentication program

#	  # collides with any authentication done by origin servers. It may

#	  # than <number> different ip addresses. The authenticate_ip_ttl

#		authenticator

#	MD5 service authentication can be enabled by adding

Open in new window

0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 24807323
You have proxy_auth set, but do you have anexternal program that will be used to check whether the user should be allowed through.

Which auth_ option are you using in the configuration?

Check the squid access log to see why it allows.
Increasing the debug level could provide additional information/clues to what is going on.
0
 

Author Closing Comment

by:drew17
ID: 31600896
It was just the order of the acl lines in my squid.conf file
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now