Protecting squid

> On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
>
>> I tried to open squid with some special port other than the default 3128
>> port.
> Obscurity is not equivalent to security.
>
>> But after a while I saw that my squid was being abused by unknown IP
>> addresses
> I'm assuming this means your Squid proxy is accessible from the Internet.
>
> Why?

>
> On 11/03/2021 15:50, Antony Stone wrote:
>> On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
>>
>> Tell about your network setup and what you are trying to achieve - we
>> might be
>> able to suggest solutions.
>
> End users machine using some client application while their system proxy
> points to the above squid proxy server.
>

> On 12/03/21 3:37 am, Ben Goz wrote:
>>
>> On 11/03/2021 15:50, Antony Stone wrote:
>>> On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
>>>
>>> Tell about your network setup and what you are trying to achieve -
>>> we might be
>>> able to suggest solutions.
>>
>> End users machine using some client application while their system
>> proxy points to the above squid proxy server.
>>
>
> Please also provide your squid.conf settings so we can check they
> achieve your described need(s) properly. At least any lines starting
> with the http_access, auth_param, acl, or external_acl_type directives
> would be most useful.
>
> Do not forget to anonymize sensitive details before posting. PLEASE do
> so in a way that we can tell whether a hidden value was correct for
> its usage, and whether any two hidden values are the same or different.

>
> On 11/03/2021 16:44, Amos Jeffries wrote:
>> On 12/03/21 3:37 am, Ben Goz wrote:
>>>
>>> On 11/03/2021 15:50, Antony Stone wrote:
>>>> On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
>>>>
>>>> Tell about your network setup and what you are trying to achieve -
>>>> we might be
>>>> able to suggest solutions.
>>>
>>> End users machine using some client application while their system
>>> proxy points to the above squid proxy server.
>>>
>>
>> Please also provide your squid.conf settings so we can check they
>> achieve your described need(s) properly. At least any lines starting
>> with the http_access, auth_param, acl, or external_acl_type directives
>> would be most useful.
>>
>> Do not forget to anonymize sensitive details before posting. PLEASE do
>> so in a way that we can tell whether a hidden value was correct for
>> its usage, and whether any two hidden values are the same or different.
>
>
> It's fork of default configuration with some changes.
>
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> #http_access deny !Safe_ports
>

> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> http_access allow localnet
> http_access allow localhost
>
> auth_param basic program /usr/local/squid/libexec/basic_ncsa_auth
> /usr/local/squid/etc/passwd
> auth_param basic realm proxy

> On 12/03/21 3:56 am, Ben Goz wrote:
>>
>> On 11/03/2021 16:44, Amos Jeffries wrote:
>>> On 12/03/21 3:37 am, Ben Goz wrote:
>>>>
>>>> On 11/03/2021 15:50, Antony Stone wrote:
>>>>> On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
>>>>>
>>>>> Tell about your network setup and what you are trying to achieve -
>>>>> we might be
>>>>> able to suggest solutions.
>>>>
>>>> End users machine using some client application while their system
>>>> proxy points to the above squid proxy server.
>>>>
>>>
>>> Please also provide your squid.conf settings so we can check they
>>> achieve your described need(s) properly. At least any lines starting
>>> with the http_access, auth_param, acl, or external_acl_type
>>> directives would be most useful.
>>>
>>> Do not forget to anonymize sensitive details before posting. PLEASE
>>> do so in a way that we can tell whether a hidden value was correct
>>> for its usage, and whether any two hidden values are the same or
>>> different.
>>
>>
>> It's fork of default configuration with some changes.
>>
>> # Recommended minimum Access Permission configuration:
>> #
>> # Deny requests to certain unsafe ports
>> #http_access deny !Safe_ports
>>
>
>
> Please restore this security protection. It prevents malware abusing
> HTTP's similarity to certain other protocols to perform attacks
> *through* your proxy.
>
> The default Safe_ports list allows all ports not known to be
> dangerous, and all ports above 1024. So it should not have any
> noticeable effect on to any legitimate HTTP proxy clients - unless
> there is something really dodgy happening on your network. If you
> actually want something like that happening, then add the appropriate
> port for that activity to the Safe_ports list. Do not drop the
> protection completely.
>
>
>> # Deny CONNECT to other than secure SSL ports
>> #http_access deny CONNECT !SSL_ports
>>
>
> The same can be said about this. Except this line is arguably even
> more important. CONNECT tunnels can literally contain anything. Let
> clients do things by adding ports to SSL_Ports list as-needed.
>
> Please do some due-diligence checks before that to verify you are okay
> with all the uses of that port. Even ones you think the client
> themselves is unlikely to be doing. Once you open a port here *anyone*
> with access to the proxy can do whatever they like on that port.
>
>
>
>> # Only allow cachemgr access from localhost
>> http_access allow localhost manager
>> http_access deny manager
>>
>> http_access allow localnet
>> http_access allow localhost
>>
>> auth_param basic program /usr/local/squid/libexec/basic_ncsa_auth
>> /usr/local/squid/etc/passwd
>> auth_param basic realm proxy
>
> I notice you are missing a line setting the login TTL value.
>
> There is currently a potential problem in the default which means
> Squid encounters situations where the credentials are seen as still
> going to be valid for hours so do not get refreshed. But garbage
> collection decides to throw them away.
>
> This may not be related to the complaints you reported getting. But
> should be fixed to ensure the side effect of having to re-authenticate
> users does not complicate your actual problem.
>
> "auth_param basic credentialsttl ..." sets how often Squid will
> re-check your auth system to confirm the users is still allowed.
> Default: 2 hr.
>
> "authenticate_ttl ..." sets how often Squid will try to throw away all
> info about old clients being logged in. Default: 1 hr.
>
>
>> acl authenticated proxy_auth REQUIRED
>> http_access allow authenticated
>>
>
> I recommend a slightly different form of check for logins. It prevents
> the situation where a user trying the wrong credentials gets a loop of
> popups.
>
> Like so:
>  http_access deny !authenticated
>
> That guarantees they are not asked to login again if their software
> agent (aka browser, or such) provided or can locate the proper
> credentials.
>
> After that you can add other rules about what the logged in users can
> do. eg allow them to do whatever they want. Like so:
>  http_access allow all

> On 12/03/21 3:56 am, Ben Goz wrote:
>>
>> On 11/03/2021 16:44, Amos Jeffries wrote:
>>> On 12/03/21 3:37 am, Ben Goz wrote:
>>>>
>>>> On 11/03/2021 15:50, Antony Stone wrote:
>>>>> On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
>>>>>
>>>>> Tell about your network setup and what you are trying to achieve -
>>>>> we might be
>>>>> able to suggest solutions.
>>>>
>>>> End users machine using some client application while their system
>>>> proxy points to the above squid proxy server.
>>>>
>>>
>>> Please also provide your squid.conf settings so we can check they
>>> achieve your described need(s) properly. At least any lines starting
>>> with the http_access, auth_param, acl, or external_acl_type
>>> directives would be most useful.
>>>
>>> Do not forget to anonymize sensitive details before posting. PLEASE
>>> do so in a way that we can tell whether a hidden value was correct
>>> for its usage, and whether any two hidden values are the same or
>>> different.
>>
>>
>> It's fork of default configuration with some changes.
>>
>> # Recommended minimum Access Permission configuration:
>> #
>> # Deny requests to certain unsafe ports
>> #http_access deny !Safe_ports
>>
>
>
> Please restore this security protection. It prevents malware abusing
> HTTP's similarity to certain other protocols to perform attacks
> *through* your proxy.
>
> The default Safe_ports list allows all ports not known to be
> dangerous, and all ports above 1024. So it should not have any
> noticeable effect on to any legitimate HTTP proxy clients - unless
> there is something really dodgy happening on your network. If you
> actually want something like that happening, then add the appropriate
> port for that activity to the Safe_ports list. Do not drop the
> protection completely.
>
>
>> # Deny CONNECT to other than secure SSL ports
>> #http_access deny CONNECT !SSL_ports
>>
>
> The same can be said about this. Except this line is arguably even
> more important. CONNECT tunnels can literally contain anything. Let
> clients do things by adding ports to SSL_Ports list as-needed.
>
> Please do some due-diligence checks before that to verify you are okay
> with all the uses of that port. Even ones you think the client
> themselves is unlikely to be doing. Once you open a port here *anyone*
> with access to the proxy can do whatever they like on that port.
>
>
>
>> # Only allow cachemgr access from localhost
>> http_access allow localhost manager
>> http_access deny manager
>>
>> http_access allow localnet
>> http_access allow localhost
>>
>> auth_param basic program /usr/local/squid/libexec/basic_ncsa_auth
>> /usr/local/squid/etc/passwd
>> auth_param basic realm proxy
>
> I notice you are missing a line setting the login TTL value.
>
> There is currently a potential problem in the default which means
> Squid encounters situations where the credentials are seen as still
> going to be valid for hours so do not get refreshed. But garbage
> collection decides to throw them away.
>
> This may not be related to the complaints you reported getting. But
> should be fixed to ensure the side effect of having to re-authenticate
> users does not complicate your actual problem.
>
> "auth_param basic credentialsttl ..." sets how often Squid will
> re-check your auth system to confirm the users is still allowed.
> Default: 2 hr.
>
> "authenticate_ttl ..." sets how often Squid will try to throw away all
> info about old clients being logged in. Default: 1 hr.
>
>
>> acl authenticated proxy_auth REQUIRED
>> http_access allow authenticated
>>
>
> I recommend a slightly different form of check for logins. It prevents
> the situation where a user trying the wrong credentials gets a loop of
> popups.
>
> Like so:
>  http_access deny !authenticated
>
> That guarantees they are not asked to login again if their software
> agent (aka browser, or such) provided or can locate the proper
> credentials.
>
> After that you can add other rules about what the logged in users can
> do. eg allow them to do whatever they want. Like so:
>  http_access allow all

> On 15/03/21 2:26 am, Ben Goz wrote:
>>
>> Can I configure squid authentication TTL per only source IP and
>> ignores other parameters so authentication will be requested only
>> once in TTL for all the sessions?
>>
>
> Not with just authentication. You will need to use a slightly more
> complicated system involving an external_acl_type helper as well and
> switch to an SQL database auth system.
>
>
> The idea for that is that you have a database of authenticated users
> with their last-known IP address.
>
>  Your auth_param helper is changed to one which takes client IP
> address in the auth_param key_extras setting, and adds records to the
> SQL database before telling Squid the login is OK.
>
>  Use an ext_sql_session_acl helper which takes IP address and checks
> the database to find the username who last authenticated from there.
> This needs to be checked and permit existing sessions before the auth
> helper.
>
> The config looks something like this:
>
>
>   external_acl_type ipuser negative_ttl=0 ttl=7200 %<a \
>     /usr/bin/squid/ext_sql_session_acl \
>     --dsn "..." --user dbUsername --password dbPassword --persist \
>     --usercol username --uidcol ipaddress
>
>   acl user_known external ipuser
>   http_access allow user_known
>
>
>   auth_param basic program /path/to/helper
>   auth_param basic key_extras %<a
>   auth_param basic credentialsttl 2 hours
>
>   acl authenticated proxy_auth REQUIRED
>
>   http_access allow authenticated
>
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users