Re: acl problem (Amos Jeffries)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: acl problem (Amos Jeffries)

Alex Gutiérrez Martínez

Thanks for answering Mr. Jeffries, I just applied his recommendations, I changed the "allow basic_ldap_auth" rule to "deny! Basic_ldap_auth", I also left the acl names denied and removed their respective "acl deny rule" and the rule "http_access deny I left it on the last line. Although I did not give problems the "squid3 -k parse". But the link to the ldap suddenly stopped working, searching at "http://www.squid-cache.org/Doc/config/" I saw that I had to change the parameter "external_acl_type Group" to "external_acl_type ldap_group" . The Ldap user password has not change and there are other applications that are using the ldap correctly at this time, any sugestions?

Here is a copy of my current configuration file


#Escondemos la version del squid
httpd_suppress_version_string on
#nombre que queremos que muestre el squid como nuestro host
visible_hostname Hermes
#no permitimos que nada pase por nuestro proxy
via off
forwarded_for off
follow_x_forwarded_for deny all
#puertos que permitiremos
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow localhost manager
http_access deny manager
# Permitimos los puertos inseguros
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
debug_options ALL,9
########################################################
#auth ldap#
########################################################
auth_param basic program /usr/lib/squid3/basic_ldap_auth  -P  -R -b "dc=empresa,dc=cuba,dc=cu" -D cn=ldap,ou=squid,dc=empresa,dc=cuba,dc=cu -W /etc/squid3/clave.txt -f sAMAccountName=%s -v 3 -s sub -h 172.16.4.10
external_acl_type Group %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -b "dc=empresa,dc=cuba,dc=cu" -D cn=cn=ldap,ou=squid,dc=empresa,dc=cuba,dc=cu -W /etc/squid3/clave.txt -f "(&(objectclass=user)(sAMAccountName=%u) (memberof=cn=%g,dc=empresa,dc=cuba,dc=cu))" -h 172.16.4.10
#######################################################
#auth que no funcionan y deben arreglarse
##########################################################
auth_param basic children 10
auth_param basic realm hermes.empresa.cuba.cu
auth_param basic credentialsttl 2 hour
acl basic_ldap_auth proxy_auth REQUIRED
http_access deny !basic_ldap_auth
#http_access deny all
########################################################
#restricciones selectivas#
########################################################
acl dmz src 172.16.4.0/27
acl navegacion src 192.168.9.0/24
acl full external Group InternetFull
acl limitado external Group InternetLimitado
acl sociales dstdomain -n "/etc/squid3/bloqueo/sociales"
acl extensiones urlpath_regex -i "/etc/squid3/bloqueo/listaextensiones"
http_access deny !full sociales
http_access deny !full !limitado navegacion
http_access deny !full dmz
########################################################
#restricciones obligadas#
########################################################
#acl blacklist url_regex -i "/etc/squid3/listanegra"
#http_access deny blacklist
acl bl7 dstdomain -n "/etc/squid3/bloqueo/correos"
#http_access allow full !limitado bl7
acl bl1 url_regex -i "/etc/squid3/bloqueo/porno"
#http_access deny bl1
acl bl2 url_regex -i "/etc/squid3/bloqueo/android"
#http_access deny bl2
acl bl3 url_regex -i "/etc/squid3/bloqueo/prox1"
#http_access deny bl3
acl bl4 url_regex -i "/etc/squid3/bloqueo/prox2"
#http_access deny bl4
acl bl5 url_regex -i "/etc/squid3/bloqueo/prox3"
#http_access deny bl5
acl bl6 url_regex -i "/etc/squid3/bloqueo/prox4"
#http_access deny bl6
#acl ladmin src "/etc/squid3/ladmin"
#########################################################################
#proxy_padre #
#########################################################################
cache_peer 172.16.1.24 parent 8000 0
#nunca permitimos conexiones directas, siempre a traves del proxy
never_direct allow all
#######################################################################
# puerto en que el proxy nos escuchara
http_port 3128
###############################################################################
maximum_object_size 100 MB
cache_dir aufs /var/cache/squid3 1024000 16 256
cache_mem 128 MB
cache_store_log /var/cache/squid3/cache_store.log
coredump_dir /var/cache/squid3/dump
#minimum_expiry_time 600 seconds
############################
client_db off
offline_mode off
cache_swap_low 5
cache_swap_high 10
cache_replacement_policy heap GDSF
maximum_object_size_in_memory 256 KB
chunked_request_body_max_size 4096 KB
half_closed_clients off
quick_abort_min 2 KB
############################
# establecemos los archivos de volcado en /var/cache/squid3/
coredump_dir /var/cache/squid3/
###############################################################################
#Establecemos los patrones de refrescamiento de la cache #
#patron de refrescamiento -- tipo de archivo -- tiempo del objeto -- %de refrescamiento -- tiempo #
#1440 minutos equivalen a 24 horas #
###############################################################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i .(gif|png|jpg|jpeg|ico)$ 10080 20% 43200 override-expire ignore-no-store ignore-private
refresh_pattern -i .(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 20% 432000 override-expire ignore-no-store ignore-private
#refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
max_filedescriptors 3200
##cuanto el squid intenta cachear en mi nombre
read_ahead_gap 256 KB
#################
#sqstat
#################
#acl manager proto cache_object
# replace 10.0.0.1 with your webserver IP
acl webserver src 172.16.4.25/27
http_access allow manager webserver
http_access allow localhost manager
http_access deny manager
###############################################################################
#Delay#
###############################################################################
client_delay_initial_bucket_level 60
delay_initial_bucket_level 75
delay_pools 2
memory_pools off

#Canal 1 extensiones.
delay_class 1 2
delay_parameters 1 16384/32768 8192/16384
delay_access 1 allow sociales extensiones
delay_access 1 deny all

#Canal 2 para usuarios.
delay_class 2 2
delay_parameters 2 65536/65536 32768/32768
delay_access 2 allow navegacion
delay_access 2 deny all
http_access deny all
#end of line
####################################################################################




PD: Please forgive my english, it's no my native language.

-- 
Saludos Cordiales

Lic. Alex Gutiérrez Martínez

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: acl problem (Amos Jeffries)

Amos Jeffries
Administrator
On 01/09/17 00:44, Alex Gutiérrez Martínez wrote:
> Thanks for answering Mr. Jeffries, I just applied his recommendations, I
> changed the "allow basic_ldap_auth" rule to "deny! Basic_ldap_auth",

Good.

> I
> also left the acl names denied and removed their respective "acl deny
> rule" and the rule "http_access deny I left it on the last line.

Hmm. I assume you are referring to the commenting out of the needless
denies I mentioned. That looks okay now.

> Although I did not give problems the "squid3 -k parse". But the link to
> the ldap suddenly stopped working, searching at
> "http://www.squid-cache.org/Doc/config/" I saw that I had to change the
> parameter "external_acl_type Group" to "external_acl_type ldap_group" .

No, you can use any name you like for that parameter.

The first parameter of the external_acl_type directive is just a custom
name / label to refer to that particular external helper in the acl
lines later.

For example:

  external_acl_type foo ...

  acl ... external foo ...


> The Ldap user password has not change and there are other applications
> that are using the ldap correctly at this time, any sugestions?
>

I see you also changed the rules giving permission for 'full' group to
access the proxy. That change broke a few things.


> Here is a copy of my current configuration file
>
>
> #Escondemos la version del squid
> httpd_suppress_version_string on
> #nombre que queremos que muestre el squid como nuestro host
> visible_hostname Hermes
> #no permitimos que nada pase por nuestro proxy
> via off
> forwarded_for off
> follow_x_forwarded_for deny all
> #puertos que permitiremos
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow localhost manager
> http_access deny manager

You have another set of rules at the bottom of the config for manager
access. These rules let sqstat etc through without logging in, the ones
at the bottom require login.

If you need sqstat etc to login, then remove these manger lines.

If you need sqstat etc to get through without login. Then:
  * remove the above lines, and
  * move the sqstat rules from the bottom of the config up to just below
the CONNECT rule below here.

> # Permitimos los puertos inseguros
> http_access allow !Safe_ports
> http_access allow CONNECT !SSL_ports

The above rules are supposed to be _preventing_ hacking attacks through
your proxy. The default lines were very carefully designed to add that
protection without overriding your local policies.
  The change to make the above use "allow" lets anybody through the
proxy without any control (ouch).

Please return that to the default:
  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports


Your rules for 'manger' ACL should go somewhere after these rules. (That
Best Practice has changed recently, so the 3.3 default config does not
do it right.)


> debug_options ALL,9
> ########################################################
> #auth ldap#
> ########################################################
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -P  -R -b
> "dc=empresa,dc=cuba,dc=cu" -D cn=ldap,ou=squid,dc=empresa,dc=cuba,dc=cu
> -W /etc/squid3/clave.txt -f sAMAccountName=%s -v 3 -s sub -h 172.16.4.10
> external_acl_type Group %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -b
> "dc=empresa,dc=cuba,dc=cu" -D
> cn=cn=ldap,ou=squid,dc=empresa,dc=cuba,dc=cu -W /etc/squid3/clave.txt -f
> "(&(objectclass=user)(sAMAccountName=%u)
> (memberof=cn=%g,dc=empresa,dc=cuba,dc=cu))" -h 172.16.4.10

Is there actually a space in the middle of that -f parameter string?
I'm not very familiar with LDAP syntax, but the other configs I have
seen using it do not have a space there.

NP: If it helps Squid understands line wrapping in squid.conf. Just add
a '\' as the last character and some whitespace at the beginning of the
next line. That can help avoid email wrap problems.


> #######################################################
> #auth que no funcionan y deben arreglarse
> ##########################################################
> auth_param basic children 10
> auth_param basic realm hermes.empresa.cuba.cu
> auth_param basic credentialsttl 2 hour
> acl basic_ldap_auth proxy_auth REQUIRED

> http_access deny !basic_ldap_auth
> #http_access deny all
> ########################################################
> #restricciones selectivas#
> ########################################################
> acl dmz src 172.16.4.0/27
> acl navegacion src 192.168.9.0/24
> acl full external Group InternetFull
> acl limitado external Group InternetLimitado
> acl sociales dstdomain -n "/etc/squid3/bloqueo/sociales"
> acl extensiones urlpath_regex -i "/etc/squid3/bloqueo/listaextensiones"
> http_access deny !full sociales
> http_access deny !full !limitado navegacion
> http_access deny !full dmz


These extra changes are adding some new problems.

Earlier you had some allow lines to let the 'full' group use the proxy.
They were okay [assuming that was what you wanted], only the way they
interacted with the login ACL was broken.

You do need some allow lines to tell Squid what to allow for logged in
users. The order you need for best use of authentication is this:

  # rules for things that do not require authentication
  http_access allow/deny ...

  # require authentication to happen
  http_access deny !login

  # rules for authenticated users
  http_access allow/deny ...

  # prevent any other / unexpected access of the proxy
  http_access deny all


It may help if you write out your policy in human language statements.
Being as simple as you can. Each statement will then usually be an
http_access line and you can shuffle the order around until the config
file 'reads' correctly to both you/us and Squid.

Note: if you find yourself writing 'except' or 'unless' that means there
are probably going to be multiple http_access lines to match your policy
statement, with the exception ones being ordered first.


For example reading your current rules:

 > http_access deny !full sociales

* "everyone not in group full are denied access to sociales domains"

 > http_access deny !full !limitado navegacion

* "everyone not in group full and not in group limitado and on a
navegacion machine are denied"

  -> see how this is very clumsy to write in human language. That
probably means a mistake and things could be simpler.

 > http_access deny !full dmz

* "everyone not in group full and coming from dmz are denied"


It is usually better to design in a way that avoids so many '!' / not
statements. That is both easier for us humans to read and understand,
and usually faster for Squid to process - especially when it has to
pause the transaction and wait for a helper response on each ACL test.

eg. from what you have mentioned so far I think you want to end up with
something like this:

  # ... some rules for anything 'full' group are denied ?

  # otherwise, 'full' group are allowed though unrestricted
  http_access allow full

  # ... things denied to everyone outside the 'full' group
  http_access deny dmz
  http_access deny sociales

  # ... navegacion are allowed if their user is in 'limitado' group
  #     (except to 'sociales' domains)
  http_access allow navegacion limitado

  # no more things are allowed
  http_access deny all



> ########################################################
> #restricciones obligadas#
> ########################################################
> #acl blacklist url_regex -i "/etc/squid3/listanegra"
> #http_access deny blacklist
> acl bl7 dstdomain -n "/etc/squid3/bloqueo/correos"
> #http_access allow full !limitado bl7
> acl bl1 url_regex -i "/etc/squid3/bloqueo/porno"
> #http_access deny bl1
> acl bl2 url_regex -i "/etc/squid3/bloqueo/android"
> #http_access deny bl2
> acl bl3 url_regex -i "/etc/squid3/bloqueo/prox1"
> #http_access deny bl3
> acl bl4 url_regex -i "/etc/squid3/bloqueo/prox2"
> #http_access deny bl4
> acl bl5 url_regex -i "/etc/squid3/bloqueo/prox3"
> #http_access deny bl5
> acl bl6 url_regex -i "/etc/squid3/bloqueo/prox4"
> #http_access deny bl6
> #acl ladmin src "/etc/squid3/ladmin"


> #########################################################################
> #proxy_padre #
> #########################################################################
> cache_peer 172.16.1.24 parent 8000 0
> #nunca permitimos conexiones directas, siempre a traves del proxy
> never_direct allow all
> #######################################################################
> # puerto en que el proxy nos escuchara
> http_port 3128
> ###############################################################################
> maximum_object_size 100 MB
> cache_dir aufs /var/cache/squid3 1024000 16 256
> cache_mem 128 MB
> cache_store_log /var/cache/squid3/cache_store.log
> coredump_dir /var/cache/squid3/dump
> #minimum_expiry_time 600 seconds
> ############################
> client_db off
> offline_mode off
> cache_swap_low 5
> cache_swap_high 10
> cache_replacement_policy heap GDSF
> maximum_object_size_in_memory 256 KB
> chunked_request_body_max_size 4096 KB
> half_closed_clients off
> quick_abort_min 2 KB
> ############################
> # establecemos los archivos de volcado en /var/cache/squid3/
> coredump_dir /var/cache/squid3/
> ###############################################################################
> #Establecemos los patrones de refrescamiento de la cache #
> #patron de refrescamiento -- tipo de archivo -- tiempo del objeto -- %de
> refrescamiento -- tiempo #
> #1440 minutos equivalen a 24 horas #
> ###############################################################################
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i .(gif|png|jpg|jpeg|ico)$ 10080 20% 43200
> override-expire ignore-no-store ignore-private
> refresh_pattern -i .(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 20%
> 432000 override-expire ignore-no-store ignore-private
> #refresh_pattern -i (/cgi-bin/|?) 0 0% 0
> refresh_pattern . 0 20% 4320
> max_filedescriptors 3200
> ##cuanto el squid intenta cachear en mi nombre
> read_ahead_gap 256 KB
> #################
> #sqstat
> #################
> #acl manager proto cache_object
> # replace 10.0.0.1 with your webserver IP
> acl webserver src 172.16.4.25/27
> http_access allow manager webserver
> http_access allow localhost manager
> http_access deny manager
> ###############################################################################
> #Delay#
> ###############################################################################
> client_delay_initial_bucket_level 60
> delay_initial_bucket_level 75
> delay_pools 2
> memory_pools off
>
> #Canal 1 extensiones.
> delay_class 1 2
> delay_parameters 1 16384/32768 8192/16384
> delay_access 1 allow sociales extensiones
> delay_access 1 deny all
>
> #Canal 2 para usuarios.
> delay_class 2 2
> delay_parameters 2 65536/65536 32768/32768
> delay_access 2 allow navegacion
> delay_access 2 deny all
> http_access deny all
> #end of line
> ####################################################################################
>
>
>
>
> PD: Please forgive my english, it's no my native language.
>
> --
> Saludos Cordiales
>
> Lic. Alex Gutiérrez Martínez
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users