Search squid archive

Re: ext_user ACL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
On 11/02/2012 8:00 a.m., Wladner Klimach wrote:

"Denies if the user *is* logged in. Okay as an idea, but if the user is NOT
logged in it will request credentials until one of the restrictUsers set is
given. You can stick " all" at the end of that access line to skip
challenging for credentials for other users and not logged in users."

What "all" are you talking? Is the one of "http_access deny all"?
I'm talking about the ACL named "all". Yes same test which is used in "deny all". The line "http_access deny Maquinas_Portaria Horario_Portaria all" will not challenge for credentials when the line matches, instead it will cause "Access Denied" for those users when they go to google and drop through to your external ACL for auth and group checks for everybody else.
What your existing config was doing in that access control is documented here: 
http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F

The "all" hack is documented here:
http://wiki.squid-cache.org/Features/Authentication#How_do_I_prevent_Authentication_Loops.3F




A conf like this would correct all the  security holes of your mencion:

auth_param negotiate program
/etc/squid/squid-3.1.16/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth
  -s HTTP/trotsky.redecamara.camara.gov.br
auth_param negotiate children 10
auth_param negotiate keep_alive on


external_acl_type squid_kerb_ldap  ttl=3600 negative_ttl=3600 %LOGIN
/etc/squid/squid-3.1.16/squid_kerb_ldap/squid_kerb_ldap -S
californio.redecamara.camara.gov.br  -g
Internet@xxxxxxxxxxxxxxxxxxxxxxxx
##################
visible_hostname trotsky.redecamara.camara.gov.br
dns_nameservers 127.0.0.1
append_domain  .camara.gov.br
hierarchy_stoplist cgi-bin ?
# Recommended minimum configuration:
#
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localhost src 127.0.0.1/32 ::1
acl manager proto cache_object

acl SSL_ports port 443
acl SSL_ports port 1863
acl SSL_ports port 563
acl SSL_ports port 465
acl SSL_ports port 995
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 563         # https
acl Safe_ports port 465         # https
acl Safe_ports port 995         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http

http_access deny !Safe_ports
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny to_localhost

follow_x_forwarded_for allow localhost

acl AUTENTICADO proxy_auth REQUIRED
acl ldap_group_check external squid_kerb_ldap
acl Maquinas_Portaria src  "/etc/squid/Maquinas_Portaria.txt"
acl SitesAcessoRemoto url_regex -i "/etc/squid/SitesAcessoRemoto"
acl UsuariosControleRemoto proxy_auth "/etc/squid/UsuariosControleRemoto"
acl Gab554-BloqueioMSN src "/etc/squid/Gab554-BloqueioMSN"
acl InstantMessenger url_regex -i "/etc/squid/InstantMessenger.txt"
acl Horario_Portaria time MTWHF 7:00-20:00
http_access allow SitesAcessoRemoto UsuariosControleRemoto
http_access deny SitesAcessoRemoto
http_access deny Maquinas_Portaria Horario_Portaria
http_access deny  InstantMessenger Gab554-BloqueioMSN
acl Horario_youtube time TWH 9:00-20:00
acl bloqueio-youtube dstdomain www.youtube.com
http_access deny bloqueio-youtube Horario_youtube
http_access allow ldap_group_check


Thanks for all the support!


regards,

Wladner


2012/2/10 Amos Jeffries<squid3@xxxxxxxxxxxxx>:


still can access it. Here is my .conf:

auth_param negotiate program

/etc/squid/squid-3.1.16/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth
  -s HTTP/trotsky.example.com

auth_param negotiate children 10
auth_param negotiate keep_alive on

# ACLs externas para buscar grupo baseado em Kerberos.
external_acl_type squid_kerb_ldap  ttl=3600 negative_ttl=3600 %LOGIN
/etc/squid/squid-3.1.16/squid_kerb_ldap/squid_kerb_ldap   -S
californio.example.com  -g
Internet@xxxxxxxxxxx
##################
visible_hostname example.com

dns_nameservers  127.0.0.1
append_domain  .camara.gov.br
hierarchy_stoplist cgi-bin ?
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

follow_x_forwarded_for allow localhost

# Recommended minimum configuration:
#
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl SSL_ports port 443
acl SSL_ports port 1863
acl SSL_ports port 563
acl SSL_ports port 465
acl SSL_ports port 995
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 563         # https
acl Safe_ports port 465         # https
acl Safe_ports port 995         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

# Recommended minimum Access Permission configuration:
#
acl AUTENTICADO proxy_auth REQUIRED
# Only allow cachemgr access from localhost
acl ldap_group_check external squid_kerb_ldap
acl Maquinas_Portaria src  "/etc/squid/Maquinas_Portaria.txt"
acl Horario_Portaria time MTWHF 7:00-20:00
http_access deny Maquinas_Portaria Horario_Portaria
acl Horario_youtube time TWH 9:00-20:00
acl bloqueio-youtube dstdomain  www.youtube.com
http_access deny bloqueio-youtube Horario_youtube
acl restrictUsers  proxy_auth P_7501@xxxxxxxxxxx

acl restrictedDomains url_regex -i "/etc/squid/InstantMessenger"
http_access deny restrictedDomains restrictUsers


Denies if the user *is* logged in. Okay as an idea, but if the user is NOT
logged in it will request credentials until one of the restrictUsers set is
given. You can stick " all" at the end of that access line to skip
challenging for credentials for other users and not logged in users.


http_access allow ldap_group_check


Unlimited access to anyone in the group unless they are visiting youtube,
using Instant Messager, or one of the Maquinas_Portaria  machines.

This has a big security holes. These people are allowed management access to
your proxy, access unsafe ports, and to relay traffic through your proxy
with CONNECT tunnels whenever they please.
  Notice how they can use CONNECT to a proxy outside your network to get
access to Youtube and use Instant Messager despite your controls. This is
why the CONNECT security rule is recommended to be above your users allow
rules.



#http_access allow AUTENTICADO
#http_access allow localnet
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny to_localhost

http_access allow CONNECT SSL_Ports


This is also a broken inversion of the security protections. It permits
CONNECT tunnels to be made to anywhere if it was a port in SSL_Ports.
The whole idea of the default security is to block non-SSL ports, not to
permit unlimited access to SSL ports. Thus the particular form of:

    http_access deny CONNECT !SSL_Ports

... and also why it is recommended to be above any other allow rules for
your clients.

The set starting from "allow manager localhost" down to "deny to_localhost"
are similar protections, also recommended to be run first before any client
allow rules.



http_access deny all


What's the problem?

Regards,

Wladner


Amos

[Linux Audio Users]     [Photo]     [Yosemite News]     [Samba]     [Video Projectors]     [Video Devices]     [Big List of Linux Books]     [LCD TVs]     [Webcams]     [Linux USB]

  Powered by Linux