Re: Squid authentication problem (Amos Jeffries)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid authentication problem (Amos Jeffries)

Sonya Roy
Hi,

From what I saw with using IP as part of then authentication, it checks which IP the user is connecting to the server from. What I want to check is which public IP of the server the user is connecting to.

If someone connects to the server's IP address x.x.x.x, I want the outgoing traffic to go through the same IP address x.x.x.x. That's why I put an acl rule for each public IP of the server and specified the tcp_outgoing_address for each of them.

So, for example, if the server has say 50 public IP address, I want to create an user who will be able to connect to 25 of them and another to another 25.

I hope this clarifies my original question.

With regards,
Sonya Roy.

On Mon, Jun 19, 2017 at 5:30 PM, <[hidden email]> wrote:
Send squid-users mailing list submissions to
        [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.squid-cache.org/listinfo/squid-users
or, via email, send a message with subject or body 'help' to
        [hidden email]

You can reach the person managing the list at
        [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of squid-users digest..."


Today's Topics:

   1. Re: Squid authentication problem (Amos Jeffries)
   2. Re: squid 4.0.20 does not recognize ssl-bump option.
      (Alex Rousskov)
   3. Re: squid 4.0.20 does not recognize ssl-bump option.
      (Amos Jeffries)


----------------------------------------------------------------------

Message: 1
Date: Mon, 19 Jun 2017 00:56:31 +1200
From: Amos Jeffries <[hidden email]>
To: [hidden email]
Subject: Re: [squid-users] Squid authentication problem
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=utf-8; format=flowed


On 18/06/17 17:50, Sonya Roy wrote:
> Hi,
>
> I am running squid on a server with multiple public IPs and I want
> some users to be able to access the proxy through some of the IPs and
> other users through other IPs.
>
> At the moment I have acl rules of the form:-
> acl abcd myip x.x.x.x
>

What you need is an ACL that compares the username to the IP.

<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_file_userip_acl.html>
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_edirectory_userip_acl.html>
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_sql_session_acl.html>

or the new 'extras' feature for authenticators in Squid-3.5 that lets
them use the IP as part of the auth approval. Though with this the thing
to be aware of is that the IP becomes like a scope for the user login -
the wrong IP being used to login from results in re-auth challenge just
as would be seen if the password was wrong. So use carefully.
  <http://www.squid-cache.org/Doc/config/auth_param/>
  <http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html#ss2.2>

> and for these acl rules I have these tcp_outgoing_address:-
> tcp_outgoing_address x.x.x.x abcd
>

Why limit the outgoing? in HTTP that is independent to the incoming
connection and restricting it will lower performance.

> And earlier I had proxy_auth acl rules separately, but that allowed
> any authenticated users to be able to access the proxy through any of
> those IPs. Since I wanted some users to be able to use the server
> through some IPs and others through different IPs, I tried this in
> those acl rules:-
>
> acl abcd myip x.x.x.x proxy_auth user1

FTR: that will match the IP address x.x.x.x and the IP address(es) of
the servers with hostnames "proxy_auth" and "user1" in your local DNS.

Also, the myip ACL is deprecated because it matched different things
based on the traffic type. myportname or localip ACLs are better if you
need to do this at all. Your "squid -k parse" config checks should warn
you about that.

Amos


------------------------------

Message: 2
Date: Sun, 18 Jun 2017 16:53:15 -0600
From: Alex Rousskov <[hidden email]>
To: meym <[hidden email]>, Squid Users
        <[hidden email]>
Subject: Re: [squid-users] squid 4.0.20 does not recognize ssl-bump
        option.
Message-ID:
        <[hidden email]>
Content-Type: text/plain; charset=koi8-r

On 06/18/2017 09:49 AM, meym wrote:
>> On 06/17/2017 10:09 AM, meym wrote:
>>> Squid Cache: Version 4.0.20
>>> "FATAL: Unknown http_port option 'ssl-bump'."
>>
>> Your Squid thinks it was built without OpenSSL support. OpenSSL support
>> is required for SslBump. Examine your ./configure options and output.

> With libressl actually.

I do not know what you mean by that remark exactly, but what I said
applies to any library providing OpenSSL API, including LibreSSL. Moreover:

* Squid does not know anything about LibreSSL. Somebody added the
letters "LibreSSL" to squid.conf.documented, but that was a mistake IMO.

* Primary SslBump developers do not normally use or test with LibreSSL.

* LibreSSL provides OpenSSL API so you can tell Squid to use LibreSSL as
if it was OpenSSL, and things should work as well as with OpenSSL itself
if (and only if) LibreSSL does a good job providing that OpenSSL API.

* LibreSSL does not do a good job providing OpenSSL API and/or Squid
does not do a good job detecting OpenSSL API variations in a
LibreSSL-compatible way (depending on your point of view). See bug #4662
for more details.

There have been recent improvements in LibreSSL-compatibility area, but
I am not sure those improvements (or the problems) are in your Squid
version and, at any rate, are taking significant additional risks by
using LibreSSL with SslBump. Whether those risks are worth using
something other than OpenSSL is your call, of course.

Alex.


------------------------------

Message: 3
Date: Mon, 19 Jun 2017 21:12:57 +1200
From: Amos Jeffries <[hidden email]>
To: [hidden email]
Subject: Re: [squid-users] squid 4.0.20 does not recognize ssl-bump
        option.
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=utf-8; format=flowed

On 19/06/17 10:53, Alex Rousskov wrote:
> On 06/18/2017 09:49 AM, meym wrote:
>>> On 06/17/2017 10:09 AM, meym wrote:
>>>> Squid Cache: Version 4.0.20
>>>> "FATAL: Unknown http_port option 'ssl-bump'."
>>>
>>> Your Squid thinks it was built without OpenSSL support. OpenSSL support
>>> is required for SslBump. Examine your ./configure options and output.
>
>> With libressl actually.
>
> I do not know what you mean by that remark exactly, but what I said
> applies to any library providing OpenSSL API, including LibreSSL.

To clarify that. This Squid is missing the --with-openssl build option,
which is required both by OpenSSL and any library derived from it.

see "squid -v" for the details of a specific squid binary. This will now
distinguish between the OpenSSL vs LibreSSL vs other situation.


> Moreover:
>
> * Squid does not know anything about LibreSSL. Somebody added the
> letters "LibreSSL" to squid.conf.documented, but that was a mistake IMO.

The mentions of LibreSSL in the current file are for things which were
tested before the recent round of LibreSSL issues. Specifically loading
CA certs from a file. AFAIK that should still be working.

ssl-bump is correctly not one of those options mentioning it. Also, note
that the fatal error message does not mention any particular library. It
is about lack of support from *any* library in the current build.

>
> * Primary SslBump developers do not normally use or test with LibreSSL.
>
> * LibreSSL provides OpenSSL API so you can tell Squid to use LibreSSL as
> if it was OpenSSL, and things should work as well as with OpenSSL itself
> if (and only if) LibreSSL does a good job providing that OpenSSL API.
>
> * LibreSSL does not do a good job providing OpenSSL API and/or Squid
> does not do a good job detecting OpenSSL API variations in a
> LibreSSL-compatible way (depending on your point of view). See bug #4662
> for more details.
>
> There have been recent improvements in LibreSSL-compatibility area, but
> I am not sure those improvements (or the problems) are in your Squid
> version and,

They are. Though the release notes still say "This release does not
support LibreSSL" at present since we have had no positive feedback on
anything actually working yet.


> at any rate, are taking significant additional risks by
> using LibreSSL with SslBump. Whether those risks are worth using
> something other than OpenSSL is your call, of course.
>

Since the risk here is due to lack of testing... More testing is very
welcome of course. Especially with feedback about what works and what
does not.

Amos


------------------------------

Subject: Digest Footer

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


------------------------------

End of squid-users Digest, Vol 34, Issue 46
*******************************************


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid authentication problem (Amos Jeffries)

Amos Jeffries
Administrator
On 20/06/17 00:09, Sonya Roy wrote:
> Hi,
>
> From what I saw with using IP as part of then authentication, it checks
> which IP the user is connecting to the server from. What I want to check
> is which public IP of the server the user is connecting to.

The IP is whichever one you pass to the various helpers. That is
configurable.

>
> If someone connects to the server's IP address x.x.x.x, I want the
> outgoing traffic to go through the same IP address x.x.x.x. That's why I
> put an acl rule for each public IP of the server and specified the
> tcp_outgoing_address for each of them.
>
> So, for example, if the server has say 50 public IP address, I want to
> create an user who will be able to connect to 25 of them and another to
> another 25.

That is _what_ you are wanting.

My question was _why_ you wanted to do that?

>
> I hope this clarifies my original question.

Your original question was whether there was any workaround for
authentication requiring credentials. I believe my previous post
answered that already.


Cheers
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid authentication problem (Amos Jeffries)

Sonya Roy
In reply to this post by Sonya Roy
Since you are saying the IP that can be passed to the helpers is configurable, how would I pass the local IP of the server that the client connected to?

I checked out the helpers you mentioned, there they check which IP the connection is coming from. Not the local IP of the server that the client is connected to and they are using %SRC for that.

With regards,
Sonya Roy.

On Mon, Jun 19, 2017 at 6:43 PM, Amos Jeffries <[hidden email]> wrote:
On 20/06/17 00:09, Sonya Roy wrote:
Hi,

From what I saw with using IP as part of then authentication, it checks
which IP the user is connecting to the server from. What I want to check
is which public IP of the server the user is connecting to.

The IP is whichever one you pass to the various helpers. That is configurable.


If someone connects to the server's IP address x.x.x.x, I want the
outgoing traffic to go through the same IP address x.x.x.x. That's why I
put an acl rule for each public IP of the server and specified the
tcp_outgoing_address for each of them.

So, for example, if the server has say 50 public IP address, I want to
create an user who will be able to connect to 25 of them and another to
another 25.

That is _what_ you are wanting.

My question was _why_ you wanted to do that?


I hope this clarifies my original question.

Your original question was whether there was any workaround for authentication requiring credentials. I believe my previous post answered that already.


Cheers
Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid authentication problem (Amos Jeffries)

Amos Jeffries
Administrator
On 20/06/17 03:20, Sonya Roy wrote:
> Since you are saying the IP that can be passed to the helpers is
> configurable, how would I pass the local IP of the server that the
> client connected to?
>
> I checked out the helpers you mentioned, there they check which IP the
> connection is coming from. Not the local IP of the server that the
> client is connected to and they are using %SRC for that.

The external ACL helpers don't know one IP from any other. They simply
check what is given to them against some form of username+ip mapping.


In Squid-3.5 that would be %MYADDR
<http://ww.squid-cache.org/Versions/v3/3.5/cfgman/external_acl_type.html>.

In Squid-4+ it would be %>la
<http://ww.squid-cache.org/Versions/v3/3.5/cfgman/logformat.html>

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid authentication problem (Amos Jeffries)

Amos Jeffries
Administrator
On 20/06/17 09:15, Amos Jeffries wrote:

> On 20/06/17 03:20, Sonya Roy wrote:
>> Since you are saying the IP that can be passed to the helpers is
>> configurable, how would I pass the local IP of the server that the
>> client connected to?
>>
>> I checked out the helpers you mentioned, there they check which IP the
>> connection is coming from. Not the local IP of the server that the
>> client is connected to and they are using %SRC for that.
>
> The external ACL helpers don't know one IP from any other. They simply
> check what is given to them against some form of username+ip mapping.
>

[ with the correct links ]
>
> In Squid-3.5 that would be %MYADDR
> <http://www.squid-cache.org/Versions/v3/3.5/cfgman/external_acl_type.html>.
>
> In Squid-4+ it would be %>la
> <http://www.squid-cache.org/Versions/v3/3.5/cfgman/logformat.html>
>

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid authentication problem (Amos Jeffries)

Sonya Roy
In reply to this post by Sonya Roy
Hi,

Thanks for the links. So I tried what you suggested and for testing, I was using this simple config:-

http_port 8080
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
external_acl_type checkclient children-max=20 %MYADDR %LOGIN /usr/local/squidauth.py
acl authenticated external checkclient
http_access allow authenticated
cache deny all
forwarded_for delete
request_header_access Via deny all

I made sure that the squidauth.py file was executable and when debugging, I found that the helper processes were running. But nothing was getting passed to the helper processes. In the python code, I was running a loop which reads lines from the stdin and parses them and writes output to the stdout. I checked and it wasn't getting anything from stdin. (I added a line which reads the input line from stdin and sends it to another server through a http request to make sure if it was getting anything from stdin at all)

But, when I tried to use the proxy(and of course I was using a username and password that was stored in /etc/squid/passwords), I kept getting the error that authentication required, i.e. the server was sending back the header Proxy-Authenticate: Basic realm="proxy". I am not sure what I am doing wrong here.

With regards,
Sonya Roy

On Tue, Jun 20, 2017 at 2:49 AM, Amos Jeffries <[hidden email]> wrote:
On 20/06/17 09:15, Amos Jeffries wrote:
On 20/06/17 03:20, Sonya Roy wrote:
Since you are saying the IP that can be passed to the helpers is
configurable, how would I pass the local IP of the server that the
client connected to?

I checked out the helpers you mentioned, there they check which IP the
connection is coming from. Not the local IP of the server that the
client is connected to and they are using %SRC for that.

The external ACL helpers don't know one IP from any other. They simply
check what is given to them against some form of username+ip mapping.


[ with the correct links ]

In Squid-3.5 that would be %MYADDR
<http://www.squid-cache.org/Versions/v3/3.5/cfgman/external_acl_type.html>.

In Squid-4+ it would be %>la
<http://www.squid-cache.org/Versions/v3/3.5/cfgman/logformat.html>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid authentication problem (Amos Jeffries)

Amos Jeffries
Administrator

On 20/06/17 10:50, Sonya Roy wrote:

> Hi,
>
> Thanks for the links. So I tried what you suggested and for testing, I
> was using this simple config:-
>
> http_port 8080
> auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
> auth_param basic realm proxy
> external_acl_type checkclient children-max=20 %MYADDR %LOGIN
> /usr/local/squidauth.py
> acl authenticated external checkclient
> http_access allow authenticated
> cache deny all
> forwarded_for delete
> request_header_access Via deny all
>
> I made sure that the squidauth.py file was executable and when
> debugging, I found that the helper processes were running. But nothing
> was getting passed to the helper processes. In the python code, I was
> running a loop which reads lines from the stdin and parses them and
> writes output to the stdout. I checked and it wasn't getting anything
> from stdin. (I added a line which reads the input line from stdin and
> sends it to another server through a http request to make sure if it was
> getting anything from stdin at all)
>
> But, when I tried to use the proxy(and of course I was using a username
> and password that was stored in /etc/squid/passwords), I kept getting
> the error that authentication required, i.e. the server was sending back
> the header Proxy-Authenticate: Basic realm="proxy". I am not sure what I
> am doing wrong here.

Sounds to me like the auth_param helper is not accepting the credentials
you are testing with. The %LOGIN parameter needs auth to be completed
successfully before the ACL helper is called with the resulting username.

Note that the NCSA helper uses a database file (/etc/squid/passwords) of
hashes encoded by the Apache htpasswd tool. It is not a plain-text nor
Unix passwd file, that difference catches some people out.


To simplify what is going on I would use the following config sequence:

  acl login proxy_auth REQUIRED
  http_access deny !login

  acl userip_check external checkclient
  http_access allow userip_check

  http_access deny all


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid authentication problem (Amos Jeffries)

Sonya Roy
In reply to this post by Sonya Roy
Thanks for all the help. I just checked the /etc/squid/passwords file, turns out I mistakenly used htpasswd -c when saving the last username, password and all the previous ones got overwritten.

After fixing that, the config file I wrote earlier worked fine.

With regards,
Sonya Roy

On Tue, Jun 20, 2017 at 4:18 PM, Amos Jeffries <[hidden email]> wrote:

On 20/06/17 10:50, Sonya Roy wrote:
Hi,

Thanks for the links. So I tried what you suggested and for testing, I
was using this simple config:-

http_port 8080
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
external_acl_type checkclient children-max=20 %MYADDR %LOGIN
/usr/local/squidauth.py
acl authenticated external checkclient
http_access allow authenticated
cache deny all
forwarded_for delete
request_header_access Via deny all

I made sure that the squidauth.py file was executable and when
debugging, I found that the helper processes were running. But nothing
was getting passed to the helper processes. In the python code, I was
running a loop which reads lines from the stdin and parses them and
writes output to the stdout. I checked and it wasn't getting anything
from stdin. (I added a line which reads the input line from stdin and
sends it to another server through a http request to make sure if it was
getting anything from stdin at all)

But, when I tried to use the proxy(and of course I was using a username
and password that was stored in /etc/squid/passwords), I kept getting
the error that authentication required, i.e. the server was sending back
the header Proxy-Authenticate: Basic realm="proxy". I am not sure what I
am doing wrong here.

Sounds to me like the auth_param helper is not accepting the credentials you are testing with. The %LOGIN parameter needs auth to be completed successfully before the ACL helper is called with the resulting username.

Note that the NCSA helper uses a database file (/etc/squid/passwords) of hashes encoded by the Apache htpasswd tool. It is not a plain-text nor Unix passwd file, that difference catches some people out.


To simplify what is going on I would use the following config sequence:

 acl login proxy_auth REQUIRED
 http_access deny !login

 acl userip_check external checkclient
 http_access allow userip_check

 http_access deny all



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...