Protecting squid

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Protecting squid

Ben Goz
By the help of God.

Hi,
I tried to open squid with some special port other than the default 3128 port.
But after a while I saw that my squid was being abused by unknown IP addresses so I decided to password protect my squid so that only authorized users could use it.
But it's pretty annoying for the users to enter user/password repeatedly.

Is there any other solution than password protection that only authorized users can have access to my squid server?

Regards,
Ben


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Protecting squid

Antony Stone
On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:

> I tried to open squid with some special port other than the default 3128
> port.

Obscurity is not equivalent to security.

> But after a while I saw that my squid was being abused by unknown IP
> addresses

I'm assuming this means your Squid proxy is accessible from the Internet.

Why?

> so I decided to password protect my squid so that only authorized
> users could use it.
> But it's pretty annoying for the users to enter user/password repeatedly.

What authentication method are you using?  At the very least, a user should
not have to authenticate more than once per browser session - are they saying
that even that is excessive?

> Is there any other solution than password protection that only authorized
> users can have access to my squid server?

Depends what "authorised" means.  Can you define the network range they are
expected to come from, and restrict access only to those IPs?

Tell about your network setup and what you are trying to achieve - we might be
able to suggest solutions.


Antony.

--
The best time to plant a tree is 20 years ago.
The second best time is now.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Protecting squid

Ben Goz

On 11/03/2021 15:50, Antony Stone wrote:

> On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
>
>> I tried to open squid with some special port other than the default 3128
>> port.
> Obscurity is not equivalent to security.
>
>> But after a while I saw that my squid was being abused by unknown IP
>> addresses
> I'm assuming this means your Squid proxy is accessible from the Internet.
>
> Why?
My users access squid via the internet.
>
>> so I decided to password protect my squid so that only authorized
>> users could use it.
>> But it's pretty annoying for the users to enter user/password repeatedly.
> What authentication method are you using?  At the very least, a user should
> not have to authenticate more than once per browser session - are they saying
> that even that is excessive?
Yep.
>
>> Is there any other solution than password protection that only authorized
>> users can have access to my squid server?
> Depends what "authorised" means.  Can you define the network range they are
> expected to come from, and restrict access only to those IPs?
This solution is least preferred because IPs range can by dynamically
change.
>
> Tell about your network setup and what you are trying to achieve - we might be
> able to suggest solutions.

End users machine using some client application while their system proxy
points to the above squid proxy server.

>
>
> Antony.
>
Regards,

Ben

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Protecting squid

Amos Jeffries
Administrator
On 12/03/21 3:37 am, Ben Goz wrote:

>
> On 11/03/2021 15:50, Antony Stone wrote:
>> On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
>>
>> Tell about your network setup and what you are trying to achieve - we
>> might be
>> able to suggest solutions.
>
> End users machine using some client application while their system proxy
> points to the above squid proxy server.
>

Please also provide your squid.conf settings so we can check they
achieve your described need(s) properly. At least any lines starting
with the http_access, auth_param, acl, or external_acl_type directives
would be most useful.

Do not forget to anonymize sensitive details before posting. PLEASE do
so in a way that we can tell whether a hidden value was correct for its
usage, and whether any two hidden values are the same or different.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Protecting squid

Ben Goz

On 11/03/2021 16:44, Amos Jeffries wrote:

> On 12/03/21 3:37 am, Ben Goz wrote:
>>
>> On 11/03/2021 15:50, Antony Stone wrote:
>>> On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
>>>
>>> Tell about your network setup and what you are trying to achieve -
>>> we might be
>>> able to suggest solutions.
>>
>> End users machine using some client application while their system
>> proxy points to the above squid proxy server.
>>
>
> Please also provide your squid.conf settings so we can check they
> achieve your described need(s) properly. At least any lines starting
> with the http_access, auth_param, acl, or external_acl_type directives
> would be most useful.
>
> Do not forget to anonymize sensitive details before posting. PLEASE do
> so in a way that we can tell whether a hidden value was correct for
> its usage, and whether any two hidden values are the same or different.


It's fork of default configuration with some changes.

# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
#http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost

auth_param basic program /usr/local/squid/libexec/basic_ncsa_auth
/usr/local/squid/etc/passwd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated

>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Protecting squid

Alex Rousskov
In reply to this post by Ben Goz
On 3/11/21 9:37 AM, Ben Goz wrote:
> End users machine using some client application while their system proxy
> points to the above squid proxy server.

Client certificate-based authentication may be the best option if their
system proxy supports it and you do not need to bump user traffic with
SslBump. Otherwise, what authentication options does their system proxy
support (as an HTTP proxy client)?

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Protecting squid

Amos Jeffries
Administrator
In reply to this post by Ben Goz
On 12/03/21 3:56 am, Ben Goz wrote:

>
> On 11/03/2021 16:44, Amos Jeffries wrote:
>> On 12/03/21 3:37 am, Ben Goz wrote:
>>>
>>> On 11/03/2021 15:50, Antony Stone wrote:
>>>> On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
>>>>
>>>> Tell about your network setup and what you are trying to achieve -
>>>> we might be
>>>> able to suggest solutions.
>>>
>>> End users machine using some client application while their system
>>> proxy points to the above squid proxy server.
>>>
>>
>> Please also provide your squid.conf settings so we can check they
>> achieve your described need(s) properly. At least any lines starting
>> with the http_access, auth_param, acl, or external_acl_type directives
>> would be most useful.
>>
>> Do not forget to anonymize sensitive details before posting. PLEASE do
>> so in a way that we can tell whether a hidden value was correct for
>> its usage, and whether any two hidden values are the same or different.
>
>
> It's fork of default configuration with some changes.
>
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> #http_access deny !Safe_ports
>


Please restore this security protection. It prevents malware abusing
HTTP's similarity to certain other protocols to perform attacks
*through* your proxy.

The default Safe_ports list allows all ports not known to be dangerous,
and all ports above 1024. So it should not have any noticeable effect on
to any legitimate HTTP proxy clients - unless there is something really
dodgy happening on your network. If you actually want something like
that happening, then add the appropriate port for that activity to the
Safe_ports list. Do not drop the protection completely.


> # Deny CONNECT to other than secure SSL ports
> #http_access deny CONNECT !SSL_ports
>

The same can be said about this. Except this line is arguably even more
important. CONNECT tunnels can literally contain anything. Let clients
do things by adding ports to SSL_Ports list as-needed.

Please do some due-diligence checks before that to verify you are okay
with all the uses of that port. Even ones you think the client
themselves is unlikely to be doing. Once you open a port here *anyone*
with access to the proxy can do whatever they like on that port.



> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> http_access allow localnet
> http_access allow localhost
>
> auth_param basic program /usr/local/squid/libexec/basic_ncsa_auth
> /usr/local/squid/etc/passwd
> auth_param basic realm proxy

I notice you are missing a line setting the login TTL value.

There is currently a potential problem in the default which means Squid
encounters situations where the credentials are seen as still going to
be valid for hours so do not get refreshed. But garbage collection
decides to throw them away.

This may not be related to the complaints you reported getting. But
should be fixed to ensure the side effect of having to re-authenticate
users does not complicate your actual problem.

"auth_param basic credentialsttl ..." sets how often Squid will re-check
your auth system to confirm the users is still allowed. Default: 2 hr.

"authenticate_ttl ..." sets how often Squid will try to throw away all
info about old clients being logged in. Default: 1 hr.


> acl authenticated proxy_auth REQUIRED
> http_access allow authenticated
>

I recommend a slightly different form of check for logins. It prevents
the situation where a user trying the wrong credentials gets a loop of
popups.

Like so:
  http_access deny !authenticated

That guarantees they are not asked to login again if their software
agent (aka browser, or such) provided or can locate the proper credentials.

After that you can add other rules about what the logged in users can
do. eg allow them to do whatever they want. Like so:
  http_access allow all


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Protecting squid

Ben Goz

On 12/03/2021 7:13, Amos Jeffries wrote:

> On 12/03/21 3:56 am, Ben Goz wrote:
>>
>> On 11/03/2021 16:44, Amos Jeffries wrote:
>>> On 12/03/21 3:37 am, Ben Goz wrote:
>>>>
>>>> On 11/03/2021 15:50, Antony Stone wrote:
>>>>> On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
>>>>>
>>>>> Tell about your network setup and what you are trying to achieve -
>>>>> we might be
>>>>> able to suggest solutions.
>>>>
>>>> End users machine using some client application while their system
>>>> proxy points to the above squid proxy server.
>>>>
>>>
>>> Please also provide your squid.conf settings so we can check they
>>> achieve your described need(s) properly. At least any lines starting
>>> with the http_access, auth_param, acl, or external_acl_type
>>> directives would be most useful.
>>>
>>> Do not forget to anonymize sensitive details before posting. PLEASE
>>> do so in a way that we can tell whether a hidden value was correct
>>> for its usage, and whether any two hidden values are the same or
>>> different.
>>
>>
>> It's fork of default configuration with some changes.
>>
>> # Recommended minimum Access Permission configuration:
>> #
>> # Deny requests to certain unsafe ports
>> #http_access deny !Safe_ports
>>
>
>
> Please restore this security protection. It prevents malware abusing
> HTTP's similarity to certain other protocols to perform attacks
> *through* your proxy.
>
> The default Safe_ports list allows all ports not known to be
> dangerous, and all ports above 1024. So it should not have any
> noticeable effect on to any legitimate HTTP proxy clients - unless
> there is something really dodgy happening on your network. If you
> actually want something like that happening, then add the appropriate
> port for that activity to the Safe_ports list. Do not drop the
> protection completely.
>
>
>> # Deny CONNECT to other than secure SSL ports
>> #http_access deny CONNECT !SSL_ports
>>
>
> The same can be said about this. Except this line is arguably even
> more important. CONNECT tunnels can literally contain anything. Let
> clients do things by adding ports to SSL_Ports list as-needed.
>
> Please do some due-diligence checks before that to verify you are okay
> with all the uses of that port. Even ones you think the client
> themselves is unlikely to be doing. Once you open a port here *anyone*
> with access to the proxy can do whatever they like on that port.
>
>
>
>> # Only allow cachemgr access from localhost
>> http_access allow localhost manager
>> http_access deny manager
>>
>> http_access allow localnet
>> http_access allow localhost
>>
>> auth_param basic program /usr/local/squid/libexec/basic_ncsa_auth
>> /usr/local/squid/etc/passwd
>> auth_param basic realm proxy
>
> I notice you are missing a line setting the login TTL value.
>
> There is currently a potential problem in the default which means
> Squid encounters situations where the credentials are seen as still
> going to be valid for hours so do not get refreshed. But garbage
> collection decides to throw them away.
>
> This may not be related to the complaints you reported getting. But
> should be fixed to ensure the side effect of having to re-authenticate
> users does not complicate your actual problem.
>
> "auth_param basic credentialsttl ..." sets how often Squid will
> re-check your auth system to confirm the users is still allowed.
> Default: 2 hr.
>
> "authenticate_ttl ..." sets how often Squid will try to throw away all
> info about old clients being logged in. Default: 1 hr.
>
>
>> acl authenticated proxy_auth REQUIRED
>> http_access allow authenticated
>>
>
> I recommend a slightly different form of check for logins. It prevents
> the situation where a user trying the wrong credentials gets a loop of
> popups.
>
> Like so:
>  http_access deny !authenticated
>
> That guarantees they are not asked to login again if their software
> agent (aka browser, or such) provided or can locate the proper
> credentials.
>
> After that you can add other rules about what the logged in users can
> do. eg allow them to do whatever they want. Like so:
>  http_access allow all

Can I configure squid authentication TTL per only source IP and ignores
other parameters so authentication will be requested only once in TTL
for all the sessions?

>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Protecting squid

Eliezer Croitoru-3
Hey Ben,

Since you probably doesn’t have 100k users and there for passwords it wouldn't do a thing.
Nobody will feel you dropping the TTL.
The content of the credentials file will be in RAM so you should give it a try first and ask later.

All The Bests,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon


-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Ben Goz
Sent: Sunday, March 14, 2021 3:26 PM
To: [hidden email]
Subject: Re: [squid-users] Protecting squid


On 12/03/2021 7:13, Amos Jeffries wrote:

> On 12/03/21 3:56 am, Ben Goz wrote:
>>
>> On 11/03/2021 16:44, Amos Jeffries wrote:
>>> On 12/03/21 3:37 am, Ben Goz wrote:
>>>>
>>>> On 11/03/2021 15:50, Antony Stone wrote:
>>>>> On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
>>>>>
>>>>> Tell about your network setup and what you are trying to achieve -
>>>>> we might be
>>>>> able to suggest solutions.
>>>>
>>>> End users machine using some client application while their system
>>>> proxy points to the above squid proxy server.
>>>>
>>>
>>> Please also provide your squid.conf settings so we can check they
>>> achieve your described need(s) properly. At least any lines starting
>>> with the http_access, auth_param, acl, or external_acl_type
>>> directives would be most useful.
>>>
>>> Do not forget to anonymize sensitive details before posting. PLEASE
>>> do so in a way that we can tell whether a hidden value was correct
>>> for its usage, and whether any two hidden values are the same or
>>> different.
>>
>>
>> It's fork of default configuration with some changes.
>>
>> # Recommended minimum Access Permission configuration:
>> #
>> # Deny requests to certain unsafe ports
>> #http_access deny !Safe_ports
>>
>
>
> Please restore this security protection. It prevents malware abusing
> HTTP's similarity to certain other protocols to perform attacks
> *through* your proxy.
>
> The default Safe_ports list allows all ports not known to be
> dangerous, and all ports above 1024. So it should not have any
> noticeable effect on to any legitimate HTTP proxy clients - unless
> there is something really dodgy happening on your network. If you
> actually want something like that happening, then add the appropriate
> port for that activity to the Safe_ports list. Do not drop the
> protection completely.
>
>
>> # Deny CONNECT to other than secure SSL ports
>> #http_access deny CONNECT !SSL_ports
>>
>
> The same can be said about this. Except this line is arguably even
> more important. CONNECT tunnels can literally contain anything. Let
> clients do things by adding ports to SSL_Ports list as-needed.
>
> Please do some due-diligence checks before that to verify you are okay
> with all the uses of that port. Even ones you think the client
> themselves is unlikely to be doing. Once you open a port here *anyone*
> with access to the proxy can do whatever they like on that port.
>
>
>
>> # Only allow cachemgr access from localhost
>> http_access allow localhost manager
>> http_access deny manager
>>
>> http_access allow localnet
>> http_access allow localhost
>>
>> auth_param basic program /usr/local/squid/libexec/basic_ncsa_auth
>> /usr/local/squid/etc/passwd
>> auth_param basic realm proxy
>
> I notice you are missing a line setting the login TTL value.
>
> There is currently a potential problem in the default which means
> Squid encounters situations where the credentials are seen as still
> going to be valid for hours so do not get refreshed. But garbage
> collection decides to throw them away.
>
> This may not be related to the complaints you reported getting. But
> should be fixed to ensure the side effect of having to re-authenticate
> users does not complicate your actual problem.
>
> "auth_param basic credentialsttl ..." sets how often Squid will
> re-check your auth system to confirm the users is still allowed.
> Default: 2 hr.
>
> "authenticate_ttl ..." sets how often Squid will try to throw away all
> info about old clients being logged in. Default: 1 hr.
>
>
>> acl authenticated proxy_auth REQUIRED
>> http_access allow authenticated
>>
>
> I recommend a slightly different form of check for logins. It prevents
> the situation where a user trying the wrong credentials gets a loop of
> popups.
>
> Like so:
>  http_access deny !authenticated
>
> That guarantees they are not asked to login again if their software
> agent (aka browser, or such) provided or can locate the proper
> credentials.
>
> After that you can add other rules about what the logged in users can
> do. eg allow them to do whatever they want. Like so:
>  http_access allow all

Can I configure squid authentication TTL per only source IP and ignores
other parameters so authentication will be requested only once in TTL
for all the sessions?

>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Protecting squid

Amos Jeffries
Administrator
In reply to this post by Ben Goz
On 15/03/21 2:26 am, Ben Goz wrote:
>
> Can I configure squid authentication TTL per only source IP and ignores
> other parameters so authentication will be requested only once in TTL
> for all the sessions?
>

Not with just authentication. You will need to use a slightly more
complicated system involving an external_acl_type helper as well and
switch to an SQL database auth system.


The idea for that is that you have a database of authenticated users
with their last-known IP address.

  Your auth_param helper is changed to one which takes client IP address
in the auth_param key_extras setting, and adds records to the SQL
database before telling Squid the login is OK.

  Use an ext_sql_session_acl helper which takes IP address and checks
the database to find the username who last authenticated from there.
This needs to be checked and permit existing sessions before the auth
helper.

The config looks something like this:


   external_acl_type ipuser negative_ttl=0 ttl=7200 %<a \
     /usr/bin/squid/ext_sql_session_acl \
     --dsn "..." --user dbUsername --password dbPassword --persist \
     --usercol username --uidcol ipaddress

   acl user_known external ipuser
   http_access allow user_known


   auth_param basic program /path/to/helper
   auth_param basic key_extras %<a
   auth_param basic credentialsttl 2 hours

   acl authenticated proxy_auth REQUIRED

   http_access allow authenticated



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Protecting squid

Ben Goz
By the help of God.


Hi Amos,

Sounds interesting.

Maybe I should modify the external_acl_type to talk with internal API
inside my system.

Can you please point me to some code examples and documentation?

Also if you can please point me to squid code that invokes the external
ACL program?

Thanks,

Ben

On 15/03/2021 15:27, Amos Jeffries wrote:

> On 15/03/21 2:26 am, Ben Goz wrote:
>>
>> Can I configure squid authentication TTL per only source IP and
>> ignores other parameters so authentication will be requested only
>> once in TTL for all the sessions?
>>
>
> Not with just authentication. You will need to use a slightly more
> complicated system involving an external_acl_type helper as well and
> switch to an SQL database auth system.
>
>
> The idea for that is that you have a database of authenticated users
> with their last-known IP address.
>
>  Your auth_param helper is changed to one which takes client IP
> address in the auth_param key_extras setting, and adds records to the
> SQL database before telling Squid the login is OK.
>
>  Use an ext_sql_session_acl helper which takes IP address and checks
> the database to find the username who last authenticated from there.
> This needs to be checked and permit existing sessions before the auth
> helper.
>
> The config looks something like this:
>
>
>   external_acl_type ipuser negative_ttl=0 ttl=7200 %<a \
>     /usr/bin/squid/ext_sql_session_acl \
>     --dsn "..." --user dbUsername --password dbPassword --persist \
>     --usercol username --uidcol ipaddress
>
>   acl user_known external ipuser
>   http_access allow user_known
>
>
>   auth_param basic program /path/to/helper
>   auth_param basic key_extras %<a
>   auth_param basic credentialsttl 2 hours
>
>   acl authenticated proxy_auth REQUIRED
>
>   http_access allow authenticated
>
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Protecting squid

Amos Jeffries
Administrator
On 18/03/21 2:54 am, Ben Goz wrote:
> Hi Amos,
>
> Sounds interesting.
>
> Maybe I should modify the external_acl_type to talk with internal API
> inside my system.

You do not need to modify any Squid code.

You provide a helper process to translate between Squid APIs and some
internal system API. see
<https://wiki.squid-cache.org/Features/AddonHelpers> for details on the
Squid APIs.

Though as I posted, there are likely already some helpers you can find
(maybe bundled with Squid) which interface with your internal systems.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users