IP auth, simple username/pass authentication, if ip not authorized?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

IP auth, simple username/pass authentication, if ip not authorized?

xpro6000

Right now I'm using Squid with IP based authentication. Would it be possible to also allow the user access if their IP is not allowed, but they provide username/pass?


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: IP auth, simple username/pass authentication, if ip not authorized?

xpro6000
This should do it

acl Allowed_IPs src "/etc/squid/Allowed_IPs.txt"
http_access allow Allowed_IPs

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
#http_access allow localhost
http_access deny all
#http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320


On Fri, Apr 13, 2018 at 11:30 PM, xpro <[hidden email]> wrote:

Right now I'm using Squid with IP based authentication. Would it be possible to also allow the user access if their IP is not allowed, but they provide username/pass?


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: IP auth, simple username/pass authentication, if ip not authorized?

Amos Jeffries
Administrator
Yes that should do it. But to let Squid do its job against DoS and such
security attacks ...

On 14/04/18 17:36, xpro6000 wrote:
> This should do it
>

Move all these custom rules between here ...

> acl Allowed_IPs src "/etc/squid/Allowed_IPs.txt"
> http_access allow Allowed_IPs
>
> auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/passwd
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> acl ncsa_users proxy_auth REQUIRED
> http_access allow ncsa_users
>

... and here.


> acl SSL_ports port 443
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager

... Down to this position after the recommended aka Best Practice)
security protections/rules.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users