Problem with squid proxy authentication configuration

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with squid proxy authentication configuration

Amiq Nahas
Hi Guys,

I am trying to configure squid so as to have user proxy
authentication, below is how my squid.conf file looks like:

-----
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/spool/squid

refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .        0    20%    4320
-----

The above lines were default in squid.conf file.

I have added below lines:

-----
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024

icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/echo
adaptation_access service_req allow all

icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/echo
adaptation_access service_resp allow all

acl ncsa src 0.0.0.0/0.0.0.0
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
auth_param basic realm proxy
acl ncsa proxy_auth REQUIRED
http access allow ncsa
-----

With this in place, I have configured 127.0.0.1:3128 as manual proxy in firefox.

But when I try to connect to internet it displays "The proxy server is
refusing connections"
(https://i.ytimg.com/vi/-LJAxo9TVig/hqdefault.jpg)

Please point out what I am doing wrong?

Thanks
Amiq
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with squid proxy authentication configuration

Alex Rousskov
On 6/10/20 5:26 AM, Amiq Nahas wrote:

> http_port 3128


> I have configured 127.0.0.1:3128 as manual proxy in firefox.
>
> But when I try to connect to internet it displays "The proxy server is
> refusing connections"

Does your Squid run on the same machine as your browser? If yes, are
there any errors or warnings in Squid's cache.log, access.log? Does
"netstat -na" or equivalent (executed on the browser machine) show
something listening for TCP/IPv4 connection on port 3128?

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with squid proxy authentication configuration

Amos Jeffries
Administrator
In reply to this post by Amiq Nahas
On 10/06/20 9:26 pm, Amiq Nahas wrote:

> Hi Guys,
>
> I am trying to configure squid so as to have user proxy
> authentication, below is how my squid.conf file looks like:
>
> -----
> acl SSL_ports port 443
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443        # https
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
> acl CONNECT method CONNECT
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access deny all
> http_port 3128
> coredump_dir /var/spool/squid
>
> refresh_pattern ^ftp:        1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
> refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
> refresh_pattern .        0    20%    4320
> -----
>
> The above lines were default in squid.conf file.
>
> I have added below lines:
>

*Where* did you add them? order is important.


> -----
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_header X-Authenticated-User
> icap_preview_enable on
> icap_preview_size 1024
>
> icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/echo
> adaptation_access service_req allow all
>
> icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/echo
> adaptation_access service_resp allow all
>
> acl ncsa src 0.0.0.0/0.0.0.0

Don't do that. Use "all" to match any IP address.

If you want to match IPv4-only clients there is a special value "ipv4"
which is used like so:
  acl ipv4_only src ipv4

Be careful with these type of control. Different access behaviours for
IPv4 and IPv6 is how security bypass issues are created.



> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
> auth_param basic realm proxy
> acl ncsa proxy_auth REQUIRED

"ncsa" was already defined as a IP address matching ACL.


> http access allow ncsa


This will only allow clients who are already trying to send credentials.
It will not inform clients that they need to and no sane client will
broadcast its credential secrets unless it has to.

To have HTTP auth work in the usual way it is best to *deny*
non-authenticated traffic and allow based on any other criteria you
have. Like so:

  http_access deny !ncsa
  http_access allow localnet

or

  http_access deny !ncsa
  http_access allow ncsa





Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with squid proxy authentication configuration

Amiq Nahas
On Wed, Jun 10, 2020 at 8:07 PM Amos Jeffries <[hidden email]> wrote:

>
> On 10/06/20 9:26 pm, Amiq Nahas wrote:
> > Hi Guys,
> >
> > I am trying to configure squid so as to have user proxy
> > authentication, below is how my squid.conf file looks like:
> >
> > -----
> > acl SSL_ports port 443
> > acl Safe_ports port 80        # http
> > acl Safe_ports port 21        # ftp
> > acl Safe_ports port 443        # https
> > acl Safe_ports port 70        # gopher
> > acl Safe_ports port 210        # wais
> > acl Safe_ports port 1025-65535    # unregistered ports
> > acl Safe_ports port 280        # http-mgmt
> > acl Safe_ports port 488        # gss-http
> > acl Safe_ports port 591        # filemaker
> > acl Safe_ports port 777        # multiling http
> > acl CONNECT method CONNECT
> >
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost manager
> > http_access deny manager
> > http_access allow localhost
> > http_access deny all
> > http_port 3128
> > coredump_dir /var/spool/squid
> >
> > refresh_pattern ^ftp:        1440    20%    10080
> > refresh_pattern ^gopher:    1440    0%    1440
> > refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
> > refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
> > refresh_pattern .        0    20%    4320
> > -----
> >
> > The above lines were default in squid.conf file.
> >
> > I have added below lines:
> >
>
> *Where* did you add them? order is important.

I have added the below lines exactly in this order at the end of the
file squid.conf.

> > -----
> > icap_enable on
> > icap_send_client_ip on
> > icap_send_client_username on
> > icap_client_username_header X-Authenticated-User
> > icap_preview_enable on
> > icap_preview_size 1024
> >
> > icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/echo
> > adaptation_access service_req allow all
> >
> > icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/echo
> > adaptation_access service_resp allow all
> >
> > acl ncsa src 0.0.0.0/0.0.0.0
>
> Don't do that. Use "all" to match any IP address.
>
> If you want to match IPv4-only clients there is a special value "ipv4"
> which is used like so:
>   acl ipv4_only src ipv4
>
> Be careful with these type of control. Different access behaviours for
> IPv4 and IPv6 is how security bypass issues are created.
>
>
>
> > auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
> > auth_param basic realm proxy
> > acl ncsa proxy_auth REQUIRED
>
> "ncsa" was already defined as a IP address matching ACL.
>
>
> > http access allow ncsa
>
>
> This will only allow clients who are already trying to send credentials.
> It will not inform clients that they need to and no sane client will
> broadcast its credential secrets unless it has to.
>
> To have HTTP auth work in the usual way it is best to *deny*
> non-authenticated traffic and allow based on any other criteria you
> have. Like so:
>
>   http_access deny !ncsa
>   http_access allow localnet
>
> or
>
>   http_access deny !ncsa
>   http_access allow ncsa

So I changed the configuration according to what you suggested and now
I can access the internet.
Below is how the configuration now looks like:

acl ncsa src all
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated ncsa

I am able to access the internet now, does this mean that everything
worked fine? I am asking because I will be using this proxy
authentication setup in c-icap for setting up the url_check service.
Also I am not prompted for any password, I am able to access the
internet just like that. Is that how it is supposed to work because if
I don't need to enter the password before browsing the web what would
be the point of it all. Right? or am I missing something here?
I have been using this article for reference
http://hevi.info/do-it-yourself/install-and-setup-squid3-on-ubuntu-14-04-with-authentication/

Thanks
Amiq
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with squid proxy authentication configuration

Amiq Nahas
In reply to this post by Alex Rousskov
On Wed, Jun 10, 2020 at 6:48 PM Alex Rousskov
<[hidden email]> wrote:

>
> On 6/10/20 5:26 AM, Amiq Nahas wrote:
>
> > http_port 3128
>
>
> > I have configured 127.0.0.1:3128 as manual proxy in firefox.
> >
> > But when I try to connect to internet it displays "The proxy server is
> > refusing connections"
>
> Does your Squid run on the same machine as your browser? If yes, are
> there any errors or warnings in Squid's cache.log, access.log? Does
> "netstat -na" or equivalent (executed on the browser machine) show
> something listening for TCP/IPv4 connection on port 3128?


Thanks for the reply.

Yes, Squid is running on the same machine as the browser.
I have checked cache.log and access.log, there are no errors or
warnings that get generated when the browser shows the proxy refusing
connections error page.
I ran netstat -na and no 3128 port is not listening.

I should mention that before I added the below lines in the
configuration, it was running all running fine. I could browse the net
and was getting logs of websites visited in the access.log file.
So I am guessing these lines are the problem, but the more important
problem at hand is that 3128 port is not listening. Any thoughts?

acl ncsa src 0.0.0.0/0.0.0.0
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
auth_param basic realm proxy
acl ncsa proxy_auth REQUIRED
http access allow ncsa

In case if system environment has something to do with the problem.
The system in question runs Ubuntu 18.04 with Linux-5.6.0-rc7.

Thanks
Amiq
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Problem with squid proxy authentication configuration

Amos Jeffries
Administrator
In reply to this post by Amiq Nahas
On 12/06/20 12:29 am, Amiq Nahas wrote:

> On Wed, Jun 10, 2020 at 8:07 PM Amos Jeffries wrote:
>>
>> On 10/06/20 9:26 pm, Amiq Nahas wrote:
>>> Hi Guys,
>>>
>>> I am trying to configure squid so as to have user proxy
>>> authentication, below is how my squid.conf file looks like:
>>>
>>> -----
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80        # http
>>> acl Safe_ports port 21        # ftp
>>> acl Safe_ports port 443        # https
>>> acl Safe_ports port 70        # gopher
>>> acl Safe_ports port 210        # wais
>>> acl Safe_ports port 1025-65535    # unregistered ports
>>> acl Safe_ports port 280        # http-mgmt
>>> acl Safe_ports port 488        # gss-http
>>> acl Safe_ports port 591        # filemaker
>>> acl Safe_ports port 777        # multiling http
>>> acl CONNECT method CONNECT
>>>
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow localhost manager
>>> http_access deny manager
>>> http_access allow localhost
>>> http_access deny all
>>> http_port 3128
>>> coredump_dir /var/spool/squid
>>>
>>> refresh_pattern ^ftp:        1440    20%    10080
>>> refresh_pattern ^gopher:    1440    0%    1440
>>> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
>>> refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
>>> refresh_pattern .        0    20%    4320
>>> -----
>>>
>>> The above lines were default in squid.conf file.
>>>
>>> I have added below lines:
>>>
>>
>> *Where* did you add them? order is important.
>
> I have added the below lines exactly in this order at the end of the
> file squid.conf.
>

That is the wrong place to be adding the http_access part of your custom
config.


>>> -----
>>> icap_enable on
>>> icap_send_client_ip on
>>> icap_send_client_username on
>>> icap_client_username_header X-Authenticated-User
>>> icap_preview_enable on
>>> icap_preview_size 1024
>>>
>>> icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/echo
>>> adaptation_access service_req allow all
>>>
>>> icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/echo
>>> adaptation_access service_resp allow all
>>>
>>> acl ncsa src 0.0.0.0/0.0.0.0
>>
>> Don't do that. Use "all" to match any IP address.
>>
>> If you want to match IPv4-only clients there is a special value "ipv4"
>> which is used like so:
>>   acl ipv4_only src ipv4
>>
>> Be careful with these type of control. Different access behaviours for
>> IPv4 and IPv6 is how security bypass issues are created.
>>
>>
>>
>>> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
>>> auth_param basic realm proxy
>>> acl ncsa proxy_auth REQUIRED
>>
>> "ncsa" was already defined as a IP address matching ACL.
>>
>>
>>> http access allow ncsa
>>
>>
>> This will only allow clients who are already trying to send credentials.
>> It will not inform clients that they need to and no sane client will
>> broadcast its credential secrets unless it has to.
>>
>> To have HTTP auth work in the usual way it is best to *deny*
>> non-authenticated traffic and allow based on any other criteria you
>> have. Like so:
>>
>>   http_access deny !ncsa
>>   http_access allow localnet
>>
>> or
>>
>>   http_access deny !ncsa
>>   http_access allow ncsa
>
> So I changed the configuration according to what you suggested and now
> I can access the internet.
> Below is how the configuration now looks like:
>
> acl ncsa src all

That is the same as the built-in "all" ACL ...


> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
> auth_param basic realm proxy
> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated ncsa

... which makes the above line same as:

  http_access allow authenticated all

Which actively *prevents* Squid from requesting credentials from clients.

>
> I am able to access the internet now, does this mean that everything
> worked fine?

No. There are many ways to configure Squid to allow traffic through.
Most of them do not in any way match your policy.


> I am asking because I will be using this proxy
> authentication setup in c-icap for setting up the url_check service.
> Also I am not prompted for any password, I am able to access the
> internet just like that. Is that how it is supposed to work

It is what you currently configured to be happening.
I wrote earlier that you needed something like this:

  http_access deny !ncsa
  http_access allow localnet


That needs to be in sequence with the other http_access rules in your
config:


  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports
  http_access allow localhost manager
  http_access deny manager

  acl authenticated proxy_auth REQUIRED
  http_access deny !authenticated

  http_access allow localhost
  http_access deny all


> because if
> I don't need to enter the password before browsing the web what would
> be the point of it all. Right? or am I missing something here?

You are missing the order http_access rules are applied.


> I have been using this article for reference
> http://hevi.info/do-it-yourself/install-and-setup-squid3-on-ubuntu-14-04-with-authentication/
>

Please notice that while the individual steps of the tutorial itself are
correct they omit very important details like where to place the config
settings. Like I said at the beginning order is important.
  And the followup comments are from people with non-working setups or
wrong answers.

The Squid wiki contains the authoritative information on how to use HTTP
authentication in Squid
<https://wiki.squid-cache.org/Features/Authentication>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users