Hole in my thinking

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Hole in my thinking

Bobby-29
Hi List,

I've been battling with this configuration and at this point I don't think I'm
seing straight. The idea is to have a few groups with some specific access
tables for each of them. But somehow, besides for manager, it either lets
them all through or none, rather than following the valid -http access lists.

Please help me see the errors of my way!


This is running on openbsd where pf is redirecting traffic from 80 to 3128 on
the loopback device.

--------------------------------------------------
http_port 3128

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 5203
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost

acl our_networks src 172.16.10.0/24
#http_access allow our_networks

http_access allow Safe_ports

# Each src file has a list of internal IP's, and each dst file
#has a list of domains they can visit.
acl operators-src src "/etc/squid/T_operators"
acl operators-dst dst "/etc/squid/T_operators-http"
acl managers-src src "/etc/squid/T_managers"
acl managers-dst dst "/etc/squid/T_managers-http"
acl servers-src src "/etc/squid/T_servers"
acl servers-dst dst "/etc/squid/T_servers-http"
acl finance-src src "/etc/squid/T_finance"
acl finance-dst dst "/etc/squid/T_finance-http"
acl admins-src src "/etc/squid/T_admins"
acl admins-dst dst all

acl clients src 0.0.0.0/0.0.0.0
acl client-http dst 172.16.10.3

http_access allow managers-src managers-dst
http_access allow operators-src operators-dst
http_access allow admins-src admins-dst
http_access allow servers-src servers-dst
http_access allow finance-src finance-dst
http_access allow clients client-http

http_access deny all
http_reply_access deny all
icp_access allow all

visible_hostname gw0.example.com

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/squid/cache

--

Bobby
Reply | Threaded
Open this post in threaded view
|

Re: Hole in my thinking

Chris Robertson-2
Bobby wrote:

> Hi List,
>
> I've been battling with this configuration and at this point I don't think I'm
> seing straight. The idea is to have a few groups with some specific access
> tables for each of them. But somehow, besides for manager, it either lets
> them all through or none, rather than following the valid -http access lists.
>
> Please help me see the errors of my way!
>
>
> This is running on openbsd where pf is redirecting traffic from 80 to 3128 on
> the loopback device.
>
> --------------------------------------------------
> http_port 3128
>
> hierarchy_stoplist cgi-bin ?
>
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .               0       20%     4320
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 5203
> acl CONNECT method CONNECT
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
>
> acl our_networks src 172.16.10.0/24
> #http_access allow our_networks
>
> http_access allow Safe_ports
>  

Here is the first line that matches.  Everyone is allowed through (as
long as they are trying to access a Safe_port).  Is this just here while
you test?

> # Each src file has a list of internal IP's, and each dst file
> #has a list of domains they can visit.
> acl operators-src src "/etc/squid/T_operators"
> acl operators-dst dst "/etc/squid/T_operators-http"
>  

Hard to diagnose a problem without knowing what the contents of these
files are...

> acl managers-src src "/etc/squid/T_managers"
> acl managers-dst dst "/etc/squid/T_managers-http"
> acl servers-src src "/etc/squid/T_servers"
> acl servers-dst dst "/etc/squid/T_servers-http"
> acl finance-src src "/etc/squid/T_finance"
> acl finance-dst dst "/etc/squid/T_finance-http"
> acl admins-src src "/etc/squid/T_admins"
> acl admins-dst dst all
>  

Perhaps the "all" keyword works as you expect it to, but it seems to me
that it would be better to define it as an explicit destination IP
(0.0.0.0/0).

> acl clients src 0.0.0.0/0.0.0.0
> acl client-http dst 172.16.10.3
>
> http_access allow managers-src managers-dst
> http_access allow operators-src operators-dst
> http_access allow admins-src admins-dst
> http_access allow servers-src servers-dst
> http_access allow finance-src finance-dst
> http_access allow clients client-http
>
> http_access deny all
> http_reply_access deny all
>  

Whoa.  You probably don't want to do this.  http_reply_access controls
what responses to your client's queries are allowed.  Here you are
rejecting all responses...

> icp_access allow all
>
> visible_hostname gw0.example.com
>
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
> coredump_dir /var/squid/cache
>  

Chris

Reply | Threaded
Open this post in threaded view
|

Re: Hole in my thinking

Bobby-29
On Thursday 07 June 2007 20:01:02 Chris Robertson wrote:

> Bobby wrote:
> > Hi List,
> >
> > I've been battling with this configuration and at this point I don't
> > think I'm seing straight. The idea is to have a few groups with some
> > specific access tables for each of them. But somehow, besides for
> > manager, it either lets them all through or none, rather than following
> > the valid -http access lists.
> >
> > Please help me see the errors of my way!
> >
> >
> > This is running on openbsd where pf is redirecting traffic from 80 to
> > 3128 on the loopback device.
> >
> > --------------------------------------------------
> > http_port 3128
> >
> > hierarchy_stoplist cgi-bin ?
> >
> > acl QUERY urlpath_regex cgi-bin \?
> > no_cache deny QUERY
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> > auth_param basic casesensitive off
> >
> > refresh_pattern ^ftp:           1440    20%     10080
> > refresh_pattern ^gopher:        1440    0%      1440
> > refresh_pattern .               0       20%     4320
> >
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
> > acl SSL_ports port 443 563
> > acl Safe_ports port 5203
> > acl CONNECT method CONNECT
> >
> > http_access allow manager localhost
> > http_access deny manager
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access deny to_localhost
> >
> > acl our_networks src 172.16.10.0/24
> > #http_access allow our_networks
> >
> > http_access allow Safe_ports
>
> Here is the first line that matches.  Everyone is allowed through (as
> long as they are trying to access a Safe_port).  Is this just here while
> you test?

Yes, there are no Safe_ports defined.

> > # Each src file has a list of internal IP's, and each dst file
> > #has a list of domains they can visit.
> > acl operators-src src "/etc/squid/T_operators"
> > acl operators-dst dst "/etc/squid/T_operators-http"
>
> Hard to diagnose a problem without knowing what the contents of these
> files are...

Either RFC 1918 network addresses (172.16.10.nn) in -src files, or routable
IP's of websites in -dst files.

> > acl managers-src src "/etc/squid/T_managers"
> > acl managers-dst dst "/etc/squid/T_managers-http"
> > acl servers-src src "/etc/squid/T_servers"
> > acl servers-dst dst "/etc/squid/T_servers-http"
> > acl finance-src src "/etc/squid/T_finance"
> > acl finance-dst dst "/etc/squid/T_finance-http"
> > acl admins-src src "/etc/squid/T_admins"
> > acl admins-dst dst all
>
> Perhaps the "all" keyword works as you expect it to, but it seems to me
> that it would be better to define it as an explicit destination IP
> (0.0.0.0/0).

OK.

> > acl clients src 0.0.0.0/0.0.0.0
> > acl client-http dst 172.16.10.3
> >
> > http_access allow managers-src managers-dst
> > http_access allow operators-src operators-dst
> > http_access allow admins-src admins-dst
> > http_access allow servers-src servers-dst
> > http_access allow finance-src finance-dst
> > http_access allow clients client-http
> >
> > http_access deny all
> > http_reply_access deny all
>
> Whoa.  You probably don't want to do this.  http_reply_access controls
> what responses to your client's queries are allowed.  Here you are
> rejecting all responses...

Was not sure about it so I tried both. Already fixed it, thanks.
Unfortunately I don't have local access so I can only test during certain
hours.

> > icp_access allow all
> >
> > visible_hostname gw0.example.com
> >
> > httpd_accel_host virtual
> > httpd_accel_port 80
> > httpd_accel_with_proxy on
> > httpd_accel_uses_host_header on
> > coredump_dir /var/squid/cache
>
> Chris

In the end do you see any reason why operators can get out but not servers?

T_admins =
172.16.10.15
172.16.10.21
172.16.10.25

T_admins-http =
0.0.0.0

T_finance =
172.16.10.146
172.16.10.76

T_finance-http =
adobe.com
amsouth.com
anywho.com
arin.net

T_managers =
172.16.10.81
172.16.10.34
172.16.10.78

T_managers-http =
adobe.com
amsouth.com
anywho.com
arin.net

T_operators =
172.16.10.105
172.16.10.107
172.16.10.112
172.16.10.114
172.16.10.115
172.16.10.116

T_operators-http =
cordia.com
targusinfo.com
disney.go.com
av-wireless.com

T_servers =
172.16.10.81
172.16.10.35
172.16.10.24
172.16.10.12

T_servers-http =
microsoft.com
av-wireless.com


--

Bobby
Reply | Threaded
Open this post in threaded view
|

Re: Hole in my thinking

Chris Robertson-2
Bobby wrote:
> On Thursday 07 June 2007 20:01:02 Chris Robertson wrote:
>  
>> Bobby wrote:
>>    
>>> Hi List,
>>>
>>>      
SNIP

>>> # Each src file has a list of internal IP's, and each dst file
>>> #has a list of domains they can visit.
>>> acl operators-src src "/etc/squid/T_operators"
>>> acl operators-dst dst "/etc/squid/T_operators-http"
>>>      
>> Hard to diagnose a problem without knowing what the contents of these
>> files are...
>>    
>
> Either RFC 1918 network addresses (172.16.10.nn) in -src files, or routable
> IP's of websites in -dst files.
>  

Had I read more closely, I would have noticed "list of  domains"
regarding the dst ACL.  That would cause problems.  See below.

>  
>>> acl managers-src src "/etc/squid/T_managers"
>>> acl managers-dst dst "/etc/squid/T_managers-http"
>>> acl servers-src src "/etc/squid/T_servers"
>>> acl servers-dst dst "/etc/squid/T_servers-http"
>>> acl finance-src src "/etc/squid/T_finance"
>>> acl finance-dst dst "/etc/squid/T_finance-http"
>>> acl admins-src src "/etc/squid/T_admins"
>>> acl admins-dst dst all
>>>      

SNIP

>>> acl clients src 0.0.0.0/0.0.0.0
>>> acl client-http dst 172.16.10.3
>>>
>>> http_access allow managers-src managers-dst
>>> http_access allow operators-src operators-dst
>>> http_access allow admins-src admins-dst
>>> http_access allow servers-src servers-dst
>>> http_access allow finance-src finance-dst
>>> http_access allow clients client-http
>>>
>>> http_access deny all
>>> http_reply_access deny all


SNIP

> In the end do you see any reason why operators can get out but not servers?
>
> T_admins =
> 172.16.10.15
> 172.16.10.21
> 172.16.10.25
>
> T_admins-http =
> 0.0.0.0
>
> T_finance =
> 172.16.10.146
> 172.16.10.76
>
> T_finance-http =
> adobe.com
> amsouth.com
> anywho.com
> arin.net
>
>  

I don't see how anyone (other than the admins) is getting out (anywhere
but 172.16.10.3).  :o)  The dst ACL is expecting an IP address.  To use
domains, you should be using dstdomain (and if you want to be
permissive, you should lead each of those domains with a period,*).

Chris

* Prepending a period to the domain of a dstdomain ACL will match the
domain and any sub domain.   For example, acl dstdomain yahoo.com would
not match www.yahoo.com, but acl dstdomain .yahoo.com would.
Reply | Threaded
Open this post in threaded view
|

Re: Hole in my thinking

Bobby-29
On Friday 08 June 2007 14:15:38 Chris Robertson wrote:

> Had I read more closely, I would have noticed "list of  domains"
> regarding the dst ACL.  That would cause problems.  See below.
>
> >>> acl managers-src src "/etc/squid/T_managers"
> >>> acl managers-dst dst "/etc/squid/T_managers-http"
> >>> acl servers-src src "/etc/squid/T_servers"
> >>> acl servers-dst dst "/etc/squid/T_servers-http"
> >>> acl finance-src src "/etc/squid/T_finance"
> >>> acl finance-dst dst "/etc/squid/T_finance-http"
> >>> acl admins-src src "/etc/squid/T_admins"
> >>> acl admins-dst dst all
>
> SNIP
>
> >>> acl clients src 0.0.0.0/0.0.0.0
> >>> acl client-http dst 172.16.10.3
> >>>
> >>> http_access allow managers-src managers-dst
> >>> http_access allow operators-src operators-dst
> >>> http_access allow admins-src admins-dst
> >>> http_access allow servers-src servers-dst
> >>> http_access allow finance-src finance-dst
> >>> http_access allow clients client-http
> >>>
> >>> http_access deny all
> >>> http_reply_access deny all
>
> SNIP
>
> > In the end do you see any reason why operators can get out but not
> > servers?
> >
> > T_admins =
> > 172.16.10.15
> > 172.16.10.21
> > 172.16.10.25
> >
> > T_admins-http =
> > 0.0.0.0
> >
> > T_finance =
> > 172.16.10.146
> > 172.16.10.76
> >
> > T_finance-http =
> > adobe.com
> > amsouth.com
> > anywho.com
> > arin.net
>
> I don't see how anyone (other than the admins) is getting out (anywhere
> but 172.16.10.3).  :o)  The dst ACL is expecting an IP address.  To use
> domains, you should be using dstdomain (and if you want to be
> permissive, you should lead each of those domains with a period,*).
>
> Chris
>
> * Prepending a period to the domain of a dstdomain ACL will match the
> domain and any sub domain.   For example, acl dstdomain yahoo.com would
> not match www.yahoo.com, but acl dstdomain .yahoo.com would.

So you are saying that

        acl managers-dst dst "/etc/squid/T_managers-http"

should really be

        acl managers-dst dstdomain "/etc/squid/T_managers-http"

and in the -http files each domain should be prepended with a period?



--

Bobby
Reply | Threaded
Open this post in threaded view
|

Re: Hole in my thinking

Henrik Nordström
sön 2007-06-10 klockan 21:39 -0400 skrev Bobby:

> should really be
>
> acl managers-dst dstdomain "/etc/squid/T_managers-http"
>
> and in the -http files each domain should be prepended with a period?

yes.

dstdomain is a match for the requested hostname/domain.

dst is a match on the IP of the requested hostname. Any hostnames
specified in a dst acl is resolved into IP when the configuration is
parsed by Squid.

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Hole in my thinking

Bobby-29
On Sunday 10 June 2007 23:48:13 Henrik Nordstrom wrote:

> sön 2007-06-10 klockan 21:39 -0400 skrev Bobby:
> > should really be
> >
> > acl managers-dst dstdomain "/etc/squid/T_managers-http"
> >
> > and in the -http files each domain should be prepended with a period?
>
> yes.
>
> dstdomain is a match for the requested hostname/domain.
>
> dst is a match on the IP of the requested hostname. Any hostnames
> specified in a dst acl is resolved into IP when the configuration is
> parsed by Squid.
>
> Regards
> Henrik

Thanks guys for your help! :)

--

Bobby