We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Squid ACL allowing anonymous commections

drew17
drew17 asked
on
Medium Priority
371 Views
Last Modified: 2013-12-13
Hello,

I installed squid and squish with authentication, however, it is allowing anonymous commections.

Any ideas?

Thanks!

Drew
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access allow CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
 
 
acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users
 
 
### added by squish (begin)
# acl's for squish - autodetected, sometimes
acl SQUISHLOC dst http://www.www.com
acl SQUISHED1 proxy_auth -i "/etc/squid/squished"
acl password proxy_auth REQUIRED
acl SQUISHED2 ident    "/etc/squid/squished"
acl SQUISHED3 src        "/etc/squid/squished"
 
# Error info that says you're squished
deny_info http://www.www.com SQUISHED1
deny_info http://www.www.com SQUISHED2
deny_info http://www.www.com SQUISHED3
 
# HTTP access controls for squish
http_access allow SQUISHLOC
http_access allow password !SQUISHED1
http_access deny SQUISHED1
http_access deny SQUISHED2
http_access deny SQUISHED3
### added by squish (end)
 
#http_access deny !ncsa_users
 
 
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
 
# And finally deny all other access to this proxy
http_access allow localhost
http_access deny all

Open in new window

Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Could you post the  results of grep 'authenticat' squid.conf

What program provides the external Auth?
What happens if you uncomment the deny rule for ncsa_users?
http_access deny !ncsa_users

Author

Commented:
Hello arnoid,

When I execute grep 'authenticat' squid.conf I get the snippet below.

I am using basic ncsa authentication

When I uncomment 'http_access deny !ncsa_users' I get the same result.

Thanks!

Drew
#				connection oriented authentication
#		     proxy and your parent requires proxy authentication.
#		     use 'login=PASS' to forward authentication to the peer.
#		     Note: To combine this with local authentication the Basic
#		     authentication scheme must be used, and both servers must
#		     not support Microsoft connection oriented authentication,
#	This is used to define parameters for the various authentication
#	The order in which authentication schemes are presented to the client is
#	Once an authentication scheme is fully configured, it can only be
#	authentication it does not automatically activate authentication.
#	To use authentication you must in addition make use of ACLs based
#	challenged for authentication on the first such acl encountered
#	WARNING: authentication can't be used in a transparently intercepting
#	Specify the command for the external authenticator.  Such a program
#	By default, the basic authentication scheme is not used unless a
#	If you want to use the traditional proxy authentication, jump over to
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	the basic proxy authentication scheme (part of the text the user
#	as there is multiple authentication backends which handles blank
#	Specify the command for the external authenticator.  Such a program
#	By default, the digest authentication scheme is not used unless a
#	If you want to use a digest authenticator, jump over to the
#	helpers/digest_auth/ directory and choose the authenticator to use.
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	digest proxy authentication scheme (part of the text the user will see
#	protect from authentication replay attacks.
#	Specify the command for the external NTLM authenticator. Such a
#	authenticator is ntlm_auth from Samba-3.X, but a number of other
#	ntlm authenticators is available.
#	By default, the ntlm authentication scheme is not used unless a
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	authentication request. It has been reported some versions of MSIE
#	Specify the command for the external Negotiate authenticator. Such a
#	authenticator is ntlm_auth from Samba-4.X.
#	By default, the Negotiate authentication scheme is not used unless a
#	The number of authenticator processes to spawn. If you start too few 
#	authenticator processes.
#	Negotiate authentication scheme then you can try setting this to
#  TAG: authenticate_cache_garbage_interval
# authenticate_cache_garbage_interval 1 hour
#  TAG: authenticate_ttl
# authenticate_ttl 1 hour
#  TAG: authenticate_ip_ttl
#	If you use proxy authentication and the 'max_user_ip' ACL, this
# authenticate_ip_ttl 0 seconds
#	  # NOTE: proxy_auth requires a EXTERNAL authentication program
#	  # collides with any authentication done by origin servers. It may
#	  # than <number> different ip addresses. The authenticate_ip_ttl
#		authenticator
#	MD5 service authentication can be enabled by adding

Open in new window

CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
It was just the order of the acl lines in my squid.conf file
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.