How te deal with proxy authentication bypass

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How te deal with proxy authentication bypass

neok
Hello everyone, I am trying to deal unsuccessfully with proxy authentication bypass.
Even looking at the documentation I can't get it right. The point is that certain programs such as being a cisco webex client or the google earth pro client do not know how to speak well with SQUID's kerberos authentication, so I want them not to authenticate for the domains they use.
For everything else I have no problems in the authentication.
I attach the logs I get and my configuration to see if they can help me.

Thank you very much in advance.
Best regards
Gabriel

squid.conf
visible_hostname s-px4.mydomain.com
#http_port 3128 require-proxy-header
http_port 3128
error_directory /opt/squid-503/share/errors/es-ar
forwarded_for transparent
shutdown_lifetime 0 seconds
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
read_timeout 5 minutes
request_timeout 3 minutes
cache_mem 1024 MB
maximum_object_size_in_memory 4 MB
memory_cache_mode always
ipcache_size 2048
fqdncache_size 4096
#cache_mgr 
httpd_suppress_version_string on
coredump_dir /opt/squid-503/var/cache/squid

auth_param negotiate program /opt/squid-503/libexec/negotiate_kerberos_auth -i -r -s GSS_C_NO_NAME
auth_param negotiate children 300 startup=150 idle=10
auth_param negotiate keep_alive on

auth_param basic program /opt/squid-503/libexec/basic_ldap_auth -P -R -b "dc=mydomain,dc=com" -D "cn=ldap,cn=Users,dc=mydomain,dc=com" -W /opt/squid-503/etc/ldappass.txt -f sAMAccountName=%s -h s-dc00.mydomain.com
auth_param basic children 30
auth_param basic realm Proxy Authentication
auth_param basic credentialsttl 4 hour

#acl vip_haproxy src 10.10.8.92
#proxy_protocol_access allow vip_haproxy

external_acl_type NO_INTERNET_USERS ttl=3600 negative_ttl=3600 %LOGIN /opt/squid-503/libexec/ext_kerberos_ldap_group_acl -g INTERNET_OFF -i -D NUEVENET.MEDIOS
acl NO_INTERNET external NO_INTERNET_USERS

acl SSL_ports port 443
acl SSL_ports port 8543         # LiveU Central
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 81          # coto "yo te conozco" donkey ports
acl Safe_ports port 623         # coto "yo te conozco" donkey ports
acl Safe_ports port 8543        # LiveU Central management
acl Safe_ports port 18255       # LiveU Central files download
acl Safe_ports port 33080       # ddjj
acl Safe_ports port 9090        # asociart
acl Safe_ports port 8713        # handball results
acl Safe_ports port 8080        # cponline.org.ar

# Lists of domains and IPs
acl LS_winupddom dstdomain "/opt/squid-503/acl/winupddom.txt"
acl LS_whitedomains dstdomain "/opt/squid-503/acl/whitedomains.txt"
acl LS_blackdomains dstdomain "/opt/squid-503/acl/blackdomains.txt"
acl LS_porn dstdomain "/opt/squid-503/acl/porn.txt"
acl DOM_Malware dstdomain "/opt/squid-503/acl/DOM_Malware.txt"
acl IP_Malware dst -n "/opt/squid-503/acl/IP_Malware.txt"
acl LS_webex dstdomain "/opt/squid-503/acl/webex.txt"

# Access lists
acl http proto http
acl port_80 port 80
acl port_443 port 443
acl port_9000 port 9000
acl port_5061 port 5061
acl port_5065 port 5065
acl CONNECT method CONNECT

#acl authenticated proxy_auth REQUIRED
# Denied internet to member users of INTERNET_OFF group
http_access deny NO_INTERNET all

# Allow webex without authentication
http_access allow http port_80 LS_webex
http_access allow CONNECT port_443 LS_webex
http_access allow port_9000 LS_webex
http_access allow port_5061 LS_webex
http_access allow port_5065 LS_webex


http_access deny LS_blackdomains
http_access deny LS_porn
http_access deny DOM_Malware
http_access deny IP_Malware

# default SQUID rules
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localhost

# Apply 20Mbit/s QoS to members of Active Directory Authenticated Users group
acl Domain_Users note group AQUAAAAAAAUVAAAA7TIfbORUj8PLQv4YAQIAAA==
delay_pools 1
delay_class 1 1
delay_parameters 1 2500000/2500000
delay_access 1 allow Domain_Users

# Allow authenticated users to use internet and deny to all others
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all


cat /opt/squid-503/acl/webex.txt
.ciscospark.com
.webex.com
.quovadisglobal.com
.digicert.com
.accompany.com
.walkme.com
.cisco.com

access.log
1601071522.675      0 10.10.9.250 TCP_DENIED/407 4106 CONNECT join-test.webex.com:443 - HIER_NONE/- text/html
1601071522.684      0 10.10.9.250 TCP_DENIED/407 4029 CONNECT msj1mcccl01.webex.com:443 - HIER_NONE/- text/html
1601071524.717      0 10.10.9.250 TCP_DENIED/407 4086 CONNECT tsa3.webex.com:443 - HIER_NONE/- text/html





_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How te deal with proxy authentication bypass

Ajb B
I looked this up an it looks like the reason Google does not work with Kerberos authentication (I think) is that Google makes requests to other domains:

(Please look at the second comment of the first answer.)

The solution would be to create an ACL to allow the Google and Cisco domains, but I don't think it will work because they make requests to other domains. It would be something like:

acl allowed_domains dstdomain google.com
http_access allow allowed_domains

Please note you would have to place it before your ACL in your lines where you have:

http_access allow authenticated
http_access deny all

I don't really have a solution except to look at your access.log file (in /var/log/squid), see the other domains Google is making a request to, and then add to your ACLs also.


Thanks,
Adrian
On Friday, September 25, 2020, 5:28:36 PM CDT, Service MV <[hidden email]> wrote:


Hello everyone, I am trying to deal unsuccessfully with proxy authentication bypass.
Even looking at the documentation I can't get it right. The point is that certain programs such as being a cisco webex client or the google earth pro client do not know how to speak well with SQUID's kerberos authentication, so I want them not to authenticate for the domains they use.
For everything else I have no problems in the authentication.
I attach the logs I get and my configuration to see if they can help me.

Thank you very much in advance.
Best regards
Gabriel

squid.conf
visible_hostname s-px4.mydomain.com
#http_port 3128 require-proxy-header
http_port 3128
error_directory /opt/squid-503/share/errors/es-ar
forwarded_for transparent
shutdown_lifetime 0 seconds
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
read_timeout 5 minutes
request_timeout 3 minutes
cache_mem 1024 MB
maximum_object_size_in_memory 4 MB
memory_cache_mode always
ipcache_size 2048
fqdncache_size 4096
#cache_mgr 
httpd_suppress_version_string on
coredump_dir /opt/squid-503/var/cache/squid

auth_param negotiate program /opt/squid-503/libexec/negotiate_kerberos_auth -i -r -s GSS_C_NO_NAME
auth_param negotiate children 300 startup=150 idle=10
auth_param negotiate keep_alive on

auth_param basic program /opt/squid-503/libexec/basic_ldap_auth -P -R -b "dc=mydomain,dc=com" -D "cn=ldap,cn=Users,dc=mydomain,dc=com" -W /opt/squid-503/etc/ldappass.txt -f sAMAccountName=%s -h s-dc00.mydomain.com
auth_param basic children 30
auth_param basic realm Proxy Authentication
auth_param basic credentialsttl 4 hour

#acl vip_haproxy src 10.10.8.92
#proxy_protocol_access allow vip_haproxy

external_acl_type NO_INTERNET_USERS ttl=3600 negative_ttl=3600 %LOGIN /opt/squid-503/libexec/ext_kerberos_ldap_group_acl -g INTERNET_OFF -i -D NUEVENET.MEDIOS
acl NO_INTERNET external NO_INTERNET_USERS

acl SSL_ports port 443
acl SSL_ports port 8543         # LiveU Central
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 81          # coto "yo te conozco" donkey ports
acl Safe_ports port 623         # coto "yo te conozco" donkey ports
acl Safe_ports port 8543        # LiveU Central management
acl Safe_ports port 18255       # LiveU Central files download
acl Safe_ports port 33080       # ddjj
acl Safe_ports port 9090        # asociart
acl Safe_ports port 8713        # handball results
acl Safe_ports port 8080        # cponline.org.ar

# Lists of domains and IPs
acl LS_winupddom dstdomain "/opt/squid-503/acl/winupddom.txt"
acl LS_whitedomains dstdomain "/opt/squid-503/acl/whitedomains.txt"
acl LS_blackdomains dstdomain "/opt/squid-503/acl/blackdomains.txt"
acl LS_porn dstdomain "/opt/squid-503/acl/porn.txt"
acl DOM_Malware dstdomain "/opt/squid-503/acl/DOM_Malware.txt"
acl IP_Malware dst -n "/opt/squid-503/acl/IP_Malware.txt"
acl LS_webex dstdomain "/opt/squid-503/acl/webex.txt"

# Access lists
acl http proto http
acl port_80 port 80
acl port_443 port 443
acl port_9000 port 9000
acl port_5061 port 5061
acl port_5065 port 5065
acl CONNECT method CONNECT

#acl authenticated proxy_auth REQUIRED
# Denied internet to member users of INTERNET_OFF group
http_access deny NO_INTERNET all

# Allow webex without authentication
http_access allow http port_80 LS_webex
http_access allow CONNECT port_443 LS_webex
http_access allow port_9000 LS_webex
http_access allow port_5061 LS_webex
http_access allow port_5065 LS_webex


http_access deny LS_blackdomains
http_access deny LS_porn
http_access deny DOM_Malware
http_access deny IP_Malware

# default SQUID rules
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localhost

# Apply 20Mbit/s QoS to members of Active Directory Authenticated Users group
acl Domain_Users note group AQUAAAAAAAUVAAAA7TIfbORUj8PLQv4YAQIAAA==
delay_pools 1
delay_class 1 1
delay_parameters 1 2500000/2500000
delay_access 1 allow Domain_Users

# Allow authenticated users to use internet and deny to all others
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all


cat /opt/squid-503/acl/webex.txt
.ciscospark.com
.webex.com
.quovadisglobal.com
.digicert.com
.accompany.com
.walkme.com
.cisco.com

access.log
1601071522.675      0 10.10.9.250 TCP_DENIED/407 4106 CONNECT <a rel="nofollow" target="_blank" onclick="return window.theMainWindow.showLinkWarning(this)" href="http://join-test.webex.com:443">join-test.webex.com:443 - HIER_NONE/- text/html
1601071522.684      0 10.10.9.250 TCP_DENIED/407 4029 CONNECT <a rel="nofollow" target="_blank" onclick="return window.theMainWindow.showLinkWarning(this)" href="http://msj1mcccl01.webex.com:443">msj1mcccl01.webex.com:443 - HIER_NONE/- text/html
1601071524.717      0 10.10.9.250 TCP_DENIED/407 4086 CONNECT <a rel="nofollow" target="_blank" onclick="return window.theMainWindow.showLinkWarning(this)" href="http://tsa3.webex.com:443">tsa3.webex.com:443 - HIER_NONE/- text/html




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How te deal with proxy authentication bypass

neok
In my case I have the domains, for example from webex, which I get from their official support page. It seems that I am doing something wrong or I am not understanding well.

The error I get is 407. I understand I should not request authentication to those domains with the configuration I have, but apparently it does.

Below I have a bandwidth control configuration with acl note, I don't know if that will be triggering the webex client authentication request.
Maybe someone with more experience can tell me.

Thank you very much.
Gabriel

El sáb., 26 de sep. de 2020 a la(s) 13:12, Ajb B ([hidden email]) escribió:
I looked this up an it looks like the reason Google does not work with Kerberos authentication (I think) is that Google makes requests to other domains:

(Please look at the second comment of the first answer.)

The solution would be to create an ACL to allow the Google and Cisco domains, but I don't think it will work because they make requests to other domains. It would be something like:

acl allowed_domains dstdomain google.com
http_access allow allowed_domains

Please note you would have to place it before your ACL in your lines where you have:

http_access allow authenticated
http_access deny all

I don't really have a solution except to look at your access.log file (in /var/log/squid), see the other domains Google is making a request to, and then add to your ACLs also.


Thanks,
Adrian
On Friday, September 25, 2020, 5:28:36 PM CDT, Service MV <[hidden email]> wrote:


Hello everyone, I am trying to deal unsuccessfully with proxy authentication bypass.
Even looking at the documentation I can't get it right. The point is that certain programs such as being a cisco webex client or the google earth pro client do not know how to speak well with SQUID's kerberos authentication, so I want them not to authenticate for the domains they use.
For everything else I have no problems in the authentication.
I attach the logs I get and my configuration to see if they can help me.

Thank you very much in advance.
Best regards
Gabriel

squid.conf
visible_hostname s-px4.mydomain.com
#http_port 3128 require-proxy-header
http_port 3128
error_directory /opt/squid-503/share/errors/es-ar
forwarded_for transparent
shutdown_lifetime 0 seconds
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
read_timeout 5 minutes
request_timeout 3 minutes
cache_mem 1024 MB
maximum_object_size_in_memory 4 MB
memory_cache_mode always
ipcache_size 2048
fqdncache_size 4096
#cache_mgr 
httpd_suppress_version_string on
coredump_dir /opt/squid-503/var/cache/squid

auth_param negotiate program /opt/squid-503/libexec/negotiate_kerberos_auth -i -r -s GSS_C_NO_NAME
auth_param negotiate children 300 startup=150 idle=10
auth_param negotiate keep_alive on

auth_param basic program /opt/squid-503/libexec/basic_ldap_auth -P -R -b "dc=mydomain,dc=com" -D "cn=ldap,cn=Users,dc=mydomain,dc=com" -W /opt/squid-503/etc/ldappass.txt -f sAMAccountName=%s -h s-dc00.mydomain.com
auth_param basic children 30
auth_param basic realm Proxy Authentication
auth_param basic credentialsttl 4 hour

#acl vip_haproxy src 10.10.8.92
#proxy_protocol_access allow vip_haproxy

external_acl_type NO_INTERNET_USERS ttl=3600 negative_ttl=3600 %LOGIN /opt/squid-503/libexec/ext_kerberos_ldap_group_acl -g INTERNET_OFF -i -D NUEVENET.MEDIOS
acl NO_INTERNET external NO_INTERNET_USERS

acl SSL_ports port 443
acl SSL_ports port 8543         # LiveU Central
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 81          # coto "yo te conozco" donkey ports
acl Safe_ports port 623         # coto "yo te conozco" donkey ports
acl Safe_ports port 8543        # LiveU Central management
acl Safe_ports port 18255       # LiveU Central files download
acl Safe_ports port 33080       # ddjj
acl Safe_ports port 9090        # asociart
acl Safe_ports port 8713        # handball results
acl Safe_ports port 8080        # cponline.org.ar

# Lists of domains and IPs
acl LS_winupddom dstdomain "/opt/squid-503/acl/winupddom.txt"
acl LS_whitedomains dstdomain "/opt/squid-503/acl/whitedomains.txt"
acl LS_blackdomains dstdomain "/opt/squid-503/acl/blackdomains.txt"
acl LS_porn dstdomain "/opt/squid-503/acl/porn.txt"
acl DOM_Malware dstdomain "/opt/squid-503/acl/DOM_Malware.txt"
acl IP_Malware dst -n "/opt/squid-503/acl/IP_Malware.txt"
acl LS_webex dstdomain "/opt/squid-503/acl/webex.txt"

# Access lists
acl http proto http
acl port_80 port 80
acl port_443 port 443
acl port_9000 port 9000
acl port_5061 port 5061
acl port_5065 port 5065
acl CONNECT method CONNECT

#acl authenticated proxy_auth REQUIRED
# Denied internet to member users of INTERNET_OFF group
http_access deny NO_INTERNET all

# Allow webex without authentication
http_access allow http port_80 LS_webex
http_access allow CONNECT port_443 LS_webex
http_access allow port_9000 LS_webex
http_access allow port_5061 LS_webex
http_access allow port_5065 LS_webex


http_access deny LS_blackdomains
http_access deny LS_porn
http_access deny DOM_Malware
http_access deny IP_Malware

# default SQUID rules
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localhost

# Apply 20Mbit/s QoS to members of Active Directory Authenticated Users group
acl Domain_Users note group AQUAAAAAAAUVAAAA7TIfbORUj8PLQv4YAQIAAA==
delay_pools 1
delay_class 1 1
delay_parameters 1 2500000/2500000
delay_access 1 allow Domain_Users

# Allow authenticated users to use internet and deny to all others
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all


cat /opt/squid-503/acl/webex.txt
.ciscospark.com
.webex.com
.quovadisglobal.com
.digicert.com
.accompany.com
.walkme.com
.cisco.com

access.log
1601071522.675      0 10.10.9.250 TCP_DENIED/407 4106 CONNECT join-test.webex.com:443 - HIER_NONE/- text/html
1601071522.684      0 10.10.9.250 TCP_DENIED/407 4029 CONNECT msj1mcccl01.webex.com:443 - HIER_NONE/- text/html
1601071524.717      0 10.10.9.250 TCP_DENIED/407 4086 CONNECT tsa3.webex.com:443 - HIER_NONE/- text/html




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How te deal with proxy authentication bypass

Amos Jeffries
Administrator
On 29/09/20 3:55 am, Service MV wrote:
> In my case I have the domains, for example from webex, which I get from
> their official support page. It seems that I am doing something wrong or
> I am not understanding well.
> I base on this documentation
> https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass
>
> The error I get is 407. I understand I should not request authentication
> to those domains with the configuration I have, but apparently it does.
>

In the (possibly outdated now) config you showed earlier the
"NO_INTERNET" ACL might produce a 407 if credentials are completely
missing, but not re-auth if they are invalid.
 If you wish to have a free audit please post your current squid.conf
rules and I will comment on useful changes.


> Below I have a bandwidth control configuration with acl note, I don't
> know if that will be triggering the webex client authentication request.
> Maybe someone with more experience can tell me.

"note" ACL will match if the data is available but not trigger
authentication sequences. That is what makes it so useful for fast-group
access checking logins.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How te deal with proxy authentication bypass

neok
Thank you Amos as always.
My current configuration has not changed much, it is as follows:

visible_hostname s-px4.mydomain.local
http_port 3128
error_directory /opt/squid-503/share/errors/es-ar
forwarded_for transparent
shutdown_lifetime 0 seconds
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
read_timeout 5 minutes
request_timeout 3 minutes
cache_mem 1024 MB
maximum_object_size_in_memory 4 MB
memory_cache_mode always
ipcache_size 2048
fqdncache_size 4096
cache_mgr [hidden email]
httpd_suppress_version_string on
coredump_dir /opt/squid-503/var/cache/squid

auth_param negotiate program /opt/squid-503/libexec/negotiate_kerberos_auth -i -r -s GSS_C_NO_NAME
auth_param negotiate children 300 startup=150 idle=10
auth_param negotiate keep_alive on

auth_param basic program /opt/squid-503/libexec/basic_ldap_auth -P -R -b "dc=mydomain,dc=local" -D "cn=ldap,cn=Users,dc=mydomain,dc=local" -W /opt/squid-503/etc/ldappass.txt -f sAMAccountName=%s -h s-dc00.mydomain.local
auth_param basic children 30
auth_param basic realm Proxy Authentication
auth_param basic credentialsttl 4 hour

external_acl_type NO_INTERNET_USERS ttl=3600 negative_ttl=3600 %LOGIN /opt/squid-503/libexec/ext_kerberos_ldap_group_acl -g INTERNET_OFF -i -D MYDOMAIN.LOCAL
acl NO_INTERNET external NO_INTERNET_USERS

acl SSL_ports port 443
acl SSL_ports port 8543         # LiveU Central
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 81          # coto "yo te conozco" donkey ports
acl Safe_ports port 623         # coto "yo te conozco" donkey ports
acl Safe_ports port 8543        # LiveU Central management
acl Safe_ports port 18255       # LiveU Central files download
acl Safe_ports port 33080       # ddjj
acl Safe_ports port 9090        # asociart
acl Safe_ports port 8713        # handball results
acl Safe_ports port 8080        # cponline.org.ar


# Lists of domains and IPs
acl LS_winupddom dstdomain "/opt/squid-503/acl/winupddom.txt"
acl LS_whitedomains dstdomain "/opt/squid-503/acl/whitedomains.txt"
acl LS_blackdomains dstdomain "/opt/squid-503/acl/blackdomains.txt"
acl LS_porn dstdomain "/opt/squid-503/acl/porn.txt"
acl DOM_Malware dstdomain "/opt/squid-503/acl/DOM_Malware.txt"
acl IP_Malware dst -n "/opt/squid-503/acl/IP_Malware.txt"
acl LS_webex dstdomain "/opt/squid-503/acl/webex.txt"

# Access lists
acl http proto http
acl port_80 port 80
acl port_443 port 443
acl port_9000 port 9000
acl port_5061 port 5061
acl port_5065 port 5065
acl CONNECT method CONNECT

# Denied internet to member users of INTERNET_OFF group 
http_access deny NO_INTERNET all

# Allow webex without authentication
http_access allow http port_80 LS_webex
http_access allow CONNECT port_443 LS_webex
http_access allow port_9000 LS_webex
http_access allow port_5061 LS_webex
http_access allow port_5065 LS_webex

http_access deny LS_blackdomains
http_access deny LS_porn
http_access deny DOM_Malware
http_access deny IP_Malware

# default SQUID rules
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localhost

# Apply 20Mbit/s QoS to members of Active Directory Authenticated Users group
acl Domain_Users note group AQUAAAAAAAUVAAAA7TIfbORUj8PLQv4YAQIAAA==
delay_pools 1
delay_class 1 1
delay_parameters 1 2500000/2500000
delay_access 1 allow Domain_Users

# Allow authenticated users to use internet and deny to all others
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_access deny all


Thank you very much in advance for your valuable help.
Best regards
Gabriel


El mar., 29 de sep. de 2020 a la(s) 07:46, Amos Jeffries ([hidden email]) escribió:
On 29/09/20 3:55 am, Service MV wrote:
> In my case I have the domains, for example from webex, which I get from
> their official support page. It seems that I am doing something wrong or
> I am not understanding well.
> I base on this documentation
> https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass
>
> The error I get is 407. I understand I should not request authentication
> to those domains with the configuration I have, but apparently it does.
>

In the (possibly outdated now) config you showed earlier the
"NO_INTERNET" ACL might produce a 407 if credentials are completely
missing, but not re-auth if they are invalid.
 If you wish to have a free audit please post your current squid.conf
rules and I will comment on useful changes.


> Below I have a bandwidth control configuration with acl note, I don't
> know if that will be triggering the webex client authentication request.
> Maybe someone with more experience can tell me.

"note" ACL will match if the data is available but not trigger
authentication sequences. That is what makes it so useful for fast-group
access checking logins.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users