Squid Authentication if URL is on a Blacklist from SquidGuard

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Squid Authentication if URL is on a Blacklist from SquidGuard

CrossfireAUT
This post was updated on .
Hello Squid-Community!

I need your help with a rather non-standard config.
My aim is as following:
-> Users that use my proxy (will deploy it via group policy in AD) should be able to use my proxy without authentication
-> if a user invokes SquidGuard (he wants to call up a URL on my blacklists), he should get prompted for his username and password
-> only users of the AD-group webusers should be able to continue and go to this site on the blacklist
I know, it isn't the best way to use SquidGuard, but a customer wants it that way.

My current config is as following:
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b "dc=xxxx,dc=local" -D testuser@xxxx.local -W /etc/squid/squid.secrets -f sAMAccountName=%s -h 172.30.0.36
auth_param basic children 10
auth_param basic realm xxxx
auth_param basic credentialsttl 2 hours

external_acl_type webusers %LOGIN /usr/lib/squid/ext_ldap_group_acl -b "dc=xxxx,dc=local" -D testuser@xxxx.local -W /etc/squid/squid.secrets -f "(&(sAMAccountName=%v)(memberOf=cn=%a,cn=Users,dc=xxxx,dc=local))" -h 172.30.0.36

authenticate_ip_ttl 1 second




acl auth proxy_auth REQUIRED
acl no_webusers dstdomain .xxxx.at
acl ldapgroup_webusers external webusers webusers

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

http_access deny !auth
http_access allow no_webusers

http_access allow ldapgroup_webuser

http_access deny all

http_port 3128


url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 4




So my users get prompted for their username/passwords everytime they restart their browser.
If they call up a domain on my blacklists, they get ACCESS DENIED.

Does anyone know how you can achieve this?
I think it should be possible with different Orders.
Until know, I tried really hard, thought it would be a good idea to ask the user-list!

Regards,
Kevin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Authentication if URL is on a Blacklist from SquidGuard

Amos Jeffries
Administrator
On 31/03/2017 9:22 p.m., CrossfireAUT wrote:
> Hello Squid-Community!
>
> I need your help with a rather non-standard config.
> My aim is as following:
> -> Users that use my proxy (will deploy it via group policy in AD) should be
> able to use my proxy without authentication

If you have such a thing as AD and the ability to push Group Policy to
the users there is no need to avoid authentication.

Perhapse the client is actually asking to get away from lots of annoying
popups the browsers are forcing on them? if that is happening it is a
strong sign that the authentication system needs fixing. When it works
there should be zero popups.


> -> if a user invokes SquidGuard (he wants to call up a URL on my
> blacklists), he should get prompted for his username and password
> -> only users of the AD-group webusers should be able to continue and go to
> this site on the blacklist
> I know, it isn't the best way to use SquidGuard, but a customer wants it
> that way.

Ewww. Okay. See below....


>
> My current config is as following:
> auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b
> "dc=xxxx,dc=local" -D [hidden email] -W /etc/squid/squid.secrets -f
> sAMAccountName=%s -h 172.30.0.36
> auth_param basic children 10
> auth_param basic realm xxxx
> auth_param basic credentialsttl 2 hours
>
> external_acl_type webusers %LOGIN /usr/lib/squid/ext_ldap_group_acl -b
> "dc=xxxx,dc=local" -D [hidden email] -W /etc/squid/squid.secrets -f
> "(&(sAMAccountName=%v)(memberOf=cn=%a,cn=Users,dc=xxxx,dc=local))" -h
> 172.30.0.36
>
> authenticate_ip_ttl 1 second
>

Er, credentials are valid for 2 hours, but the "users" are jumping
around between IPs every second?

NP: the authenticate_ip_* stuff is irrelevant unless a maxuserip type
ACL is being used.

>
> acl auth proxy_auth REQUIRED
> acl no_webusers dstdomain .xxxx.at
> acl ldapgroup_webusers external webusers webusers
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
>
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
>
> http_access deny !auth
> http_access allow no_webusers
>
> http_access allow ldapgroup_webuser
>
> http_access deny all
>
> http_port 3128
>
>
> url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> url_rewrite_children 4
>
>
>
>
> So my users get prompted for their username/passwords everytime they restart
> their browser.

Funky.
 Have you check that is not simple the browser "Password Manager"
feature requesting access to their machine or AD "Domain login" details?

I have seen a few computer-illiterate people confuse their browser
"master password" as some form of password associated with their default
homepage website. This can be particularly bad when that is set the
homepage to some popular social media site or search engine.


> If they call up a domain on my blacklists, they get ACCESS DENIED.
>
> Does anyone know how you can achieve this?
> Until know, I tried really hard, thought it would be a good idea to ask the
> user-list!

So ignoring SG for now the problem is a matter of access control. That
means the right way to do it is with ACLs in http_access.


To use SG as requested you need to make an external_acl_type helper that
receives the same things SG needs and passes them on to it, mapping the
result back to an OK/ERR result for Squid ACL use.
 [ IIRC Eliezer has posted a helper that does that to the list . ]

Then you can do something like:
  external_acl_type sgMapper ...
  acl testWithSg external sgMapper

  http_access allow testWithSG
  http_access deny !auth
  ...

Note that this does not involve the url_rewrite_* API. You can drop that
entirely. Unless you want some traffic to still be redirected/rewritten
by SG. In which case you need url_rewrite_access to define which traffic
SG applies to.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Authentication if URL is on a Blacklist from SquidGuard

CrossfireAUT
If you have such a thing as AD and the ability to push Group Policy to
the users there is no need to avoid authentication.


I have a running AD on Ubuntu 16.04 with samba4.


Perhapse the client is actually asking to get away from lots of annoying
popups the browsers are forcing on them? if that is happening it is a
strong sign that the authentication system needs fixing. When it works
there should be zero popups.


The client gets asked for his username/password everytime he closes & opens the browser, while surfing, there are no PopUps so the client can surf undisturbed.
At first, my client wanted to authenticate everytime someone opens & closes the browser, now he wants to authenticate ONLY if someone calls up "a bad Website".



Er, credentials are valid for 2 hours, but the "users" are jumping
around between IPs every second?
NP: the authenticate_ip_* stuff is irrelevant unless a maxuserip type
ACL is being used.


Thanks, the thing with "authenticate_ip_ttl 1 second" was my fallacy.



Funky.
Have you check that is not simple the browser "Password Manager"
feature requesting access to their machine or AD "Domain login" details?


Browsers with "Password-Manager"-Features can save the password, but only fill in the saved username and password.
So you would have to press Enter in order to continue. If you don't use this Feature, you will get asked everytime you close & open the browser and have to enter it yourself.



To use SG as requested you need to make an external_acl_type helper that
receives the same things SG needs and passes them on to it, mapping the
result back to an OK/ERR result for Squid ACL use.
 [ IIRC Eliezer has posted a helper that does that to the list . ]

Then you can do something like:
  external_acl_type sgMapper ...
  acl testWithSg external sgMapper

  http_access allow testWithSG
  http_access deny !auth
  ...

Note that this does not involve the url_rewrite_* API. You can drop that
entirely. Unless you want some traffic to still be redirected/rewritten
by SG. In which case you need url_rewrite_access to define which traffic
SG applies to.


I have to excuse myself, I'm still a beginner in the world of Squid.
Thanks for understanding.
You are right, I don't need to redirect to Blockpages anymore.
If the user authenticates because he called up a bad url, he should be allowed to pass.

I don't understand that solution, why do I need to make that external_acl_type helper?
Isn't it the same as my external_acl_type?

external_acl_type webusers %LOGIN /usr/lib/squid/ext_ldap_group_acl -b "dc=xxxx,dc=local" -D testuser@xxxx.local -W /etc/squid/squid.secrets -f "(&(sAMAccountName=%v)(memberOf=cn=%a,cn=Users,dc=xxxx,dc=local))" -h 172.30.0.36

acl ldapgroup_webusers external webusers webusers

http_access allow ldapgroup_webusers


My helper are working well:
xxxx@xxxx-testproxy01:~# /usr/lib/squid/basic_ldap_auth -R -b "dc=xxxx,dc=local" -D testuser@xxxx.local -W /etc/squid/squid.secrets -f sAMAccountName=%s -h 172.30.0.36
testuser xxxx
OK

xxxx@xxxx-testproxy01:~# /usr/lib/squid/ext_ldap_group_acl -b "dc=xxxx,dc=local" -D testuser@xxxx.local -W /etc/squid/squid.secrets -f "(&(sAMAccountName=%v)(memberOf=cn=%a,cn=Users,dc=xxxx,dc=local))" -h 172.30.0.36
testuser webusers
OK

How can I match the requested URL against the Blacklists without SquidGuard?
I still need to match it against the Blacklist, and then it has to get decided if he needs to authenticate or not.

Thanks for answering!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Authentication if URL is on a Blacklist from SquidGuard

Amos Jeffries
Administrator
On 5/04/2017 7:48 p.m., CrossfireAUT wrote:

> /If you have such a thing as AD and the ability to push Group Policy to
> the users there is no need to avoid authentication./
>
> I have a running AD on Ubuntu 16.04 with samba4.
>
>
> /Perhapse the client is actually asking to get away from lots of annoying
> popups the browsers are forcing on them? if that is happening it is a
> strong sign that the authentication system needs fixing. When it works
> there should be zero popups./
>
> The client gets asked for his username/password everytime he closes & opens
> the browser, while surfing, there are no PopUps so the client can surf
> undisturbed.
> At first, my client wanted to authenticate everytime someone opens & closes
> the browser, now he wants to authenticate ONLY if someone calls up "a bad
> Website".
>
>
>
> /Er, credentials are valid for 2 hours, but the "users" are jumping
> around between IPs every second?
> NP: the authenticate_ip_* stuff is irrelevant unless a maxuserip type
> ACL is being used.
> /
>
> Thanks, the thing with "authenticate_ip_ttl 1 second" was my fallacy.
>
>
>
> /Funky.
> Have you check that is not simple the browser "Password Manager"
> feature requesting access to their machine or AD "Domain login" details?/
>
> Browsers with "Password-Manager"-Features can save the password, but only
> fill in the saved username and password.
> So you would have to press Enter in order to continue. If you don't use this
> Feature, you will get asked everytime you close & open the browser and have
> to enter it yourself.
>
>
> /
> To use SG as requested you need to make an external_acl_type helper that
> receives the same things SG needs and passes them on to it, mapping the
> result back to an OK/ERR result for Squid ACL use.
>  [ IIRC Eliezer has posted a helper that does that to the list . ]
>
> Then you can do something like:
>   external_acl_type sgMapper ...
>   acl testWithSg external sgMapper
>
>   http_access allow testWithSG
>   http_access deny !auth
>   ...
>
> Note that this does not involve the url_rewrite_* API. You can drop that
> entirely. Unless you want some traffic to still be redirected/rewritten
> by SG. In which case you need url_rewrite_access to define which traffic
> SG applies to./
>
> I have to excuse myself, I'm still a beginner in the world of Squid.
> Thanks for understanding.
> You are right, I don't need to redirect to Blockpages anymore.
> If the user authenticates because he called up a bad url, he should be
> allowed to pass.
>
> I don't understand that solution, why do I need to make that
> external_acl_type helper?

You need external_acl_type is because of that requirement that SG be
used. It is too late to authenticate by the time url_rewrite_helper API
gets consulted. So a complex ACL is needed that does a lookup with SG.
 The external_acl_type helper interface exists for that type of purpose.

You need the special mapping helper only because SG is very outdated
software and no longer maintained. It does not understand the generic
helper syntax Squid uses these days, and only responds with the old
redirect_helper syntax.

The wrapper helper is needed to map that old SG syntax to new OK/ERR
responses that the ACL interface expects.

My answer went that way because you said using SG was a client
requirement. I assumed you could not change that.

FWIW: Any helper which responds using the generic helper syntax
(produces OK/ERR codes) can be used directly in an external_acl_type
directive without the special wrapper SG needs. ufdbGuard is one I
expect could be used like that as a replacement for SG.


> Isn't it the same as my external_acl_type?
>
> /external_acl_type webusers %LOGIN /usr/lib/squid/ext_ldap_group_acl -b
> "dc=xxxx,dc=local" -D [hidden email] -W /etc/squid/squid.secrets -f
> "(&(sAMAccountName=%v)(memberOf=cn=%a,cn=Users,dc=xxxx,dc=local))" -h
> 172.30.0.36

This external_acl_type is a lookup to check the already logged-in users
group membership.

It does not check what SG thinks about the URL (good or bad), or
anything else. Just the group check.


You can have multiple external_acl_type lines. Having one for SG does
not affect the above group one in any way. They are named in that first
parameter so your "acl ... external" lines can reference which helper is
to be sent the lookup by that ACL.


>
> acl ldapgroup_webusers external webusers webusers
>
> http_access allow ldapgroup_webusers
> /
>
> My helper are working well:
> xxxx@xxxx-testproxy01:~# /usr/lib/squid/basic_ldap_auth -R -b
> "dc=xxxx,dc=local" -D [hidden email] -W /etc/squid/squid.secrets -f
> sAMAccountName=%s -h 172.30.0.36
> testuser xxxx
> OK
>
> xxxx@xxxx-testproxy01:~# /usr/lib/squid/ext_ldap_group_acl -b
> "dc=xxxx,dc=local" -D [hidden email] -W /etc/squid/squid.secrets -f
> "(&(sAMAccountName=%v)(memberOf=cn=%a,cn=Users,dc=xxxx,dc=local))" -h
> 172.30.0.36
> testuser webusers
> OK
>
> How can I match the requested URL against the Blacklists without SquidGuard?
> I still need to match it against the Blacklist, and then it has to get
> decided if he needs to authenticate or not.


It depends on exactly what format the blacklist is. If it is just a list
of domains, you can load it into a dstdomain ACL.
Like so:
 acl bad dstdomain "/etc/squid/blacklist.domains"

Or, if it has regex patterns one of the regex ACLs. There are a bunch
that can do full-URL, domain, or path-only regex matching. Though regex
is kind of slow so if you can avoid that it helps with performance.
 <http://www.squid-cache.org/Doc/config/acl/>

Or, using a more up to date helper than SG for the external lookup, as
mentioned above.

The benefit from doing the lists outside if squid.conf ACLs is ability
to change them easily without reconfiguring Squid. That comes in handy
for large lists.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Squid Authentication if URL is on a Blacklist from SquidGuard

Eliezer Croitoru
In reply to this post by Amos Jeffries
A copy of the message which includes the script and the relevant details at: http://www.ngtech.co.il/paste/1758/raw/

Or on the list archives:
http://lists.squid-cache.org/pipermail/squid-users/2016-June/011047.html

Or on the next gist:
https://gist.github.com/elico/865938620fb7a61ce5293bbce0b2bb06

Eliezer

* Should I add it to the wiki?... this is a 3 Clause  BSD licensed piece of code

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Tuesday, April 4, 2017 9:18 AM
To: [hidden email]
Subject: Re: [squid-users] Squid Authentication if URL is on a Blacklist from SquidGuard

On 31/03/2017 9:22 p.m., CrossfireAUT wrote:
> Hello Squid-Community!
>
> I need your help with a rather non-standard config.
> My aim is as following:
> -> Users that use my proxy (will deploy it via group policy in AD) should be
> able to use my proxy without authentication

If you have such a thing as AD and the ability to push Group Policy to
the users there is no need to avoid authentication.

Perhapse the client is actually asking to get away from lots of annoying
popups the browsers are forcing on them? if that is happening it is a
strong sign that the authentication system needs fixing. When it works
there should be zero popups.


> -> if a user invokes SquidGuard (he wants to call up a URL on my
> blacklists), he should get prompted for his username and password
> -> only users of the AD-group webusers should be able to continue and go to
> this site on the blacklist
> I know, it isn't the best way to use SquidGuard, but a customer wants it
> that way.

Ewww. Okay. See below....


>
> My current config is as following:
> auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b
> "dc=xxxx,dc=local" -D [hidden email] -W /etc/squid/squid.secrets -f
> sAMAccountName=%s -h 172.30.0.36
> auth_param basic children 10
> auth_param basic realm xxxx
> auth_param basic credentialsttl 2 hours
>
> external_acl_type webusers %LOGIN /usr/lib/squid/ext_ldap_group_acl -b
> "dc=xxxx,dc=local" -D [hidden email] -W /etc/squid/squid.secrets -f
> "(&(sAMAccountName=%v)(memberOf=cn=%a,cn=Users,dc=xxxx,dc=local))" -h
> 172.30.0.36
>
> authenticate_ip_ttl 1 second
>

Er, credentials are valid for 2 hours, but the "users" are jumping
around between IPs every second?

NP: the authenticate_ip_* stuff is irrelevant unless a maxuserip type
ACL is being used.

>
> acl auth proxy_auth REQUIRED
> acl no_webusers dstdomain .xxxx.at
> acl ldapgroup_webusers external webusers webusers
>
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
>
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
>
> http_access deny !auth
> http_access allow no_webusers
>
> http_access allow ldapgroup_webuser
>
> http_access deny all
>
> http_port 3128
>
>
> url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> url_rewrite_children 4
>
>
>
>
> So my users get prompted for their username/passwords everytime they restart
> their browser.

Funky.
 Have you check that is not simple the browser "Password Manager"
feature requesting access to their machine or AD "Domain login" details?

I have seen a few computer-illiterate people confuse their browser
"master password" as some form of password associated with their default
homepage website. This can be particularly bad when that is set the
homepage to some popular social media site or search engine.


> If they call up a domain on my blacklists, they get ACCESS DENIED.
>
> Does anyone know how you can achieve this?
> Until know, I tried really hard, thought it would be a good idea to ask the
> user-list!

So ignoring SG for now the problem is a matter of access control. That
means the right way to do it is with ACLs in http_access.


To use SG as requested you need to make an external_acl_type helper that
receives the same things SG needs and passes them on to it, mapping the
result back to an OK/ERR result for Squid ACL use.
 [ IIRC Eliezer has posted a helper that does that to the list . ]

Then you can do something like:
  external_acl_type sgMapper ...
  acl testWithSg external sgMapper

  http_access allow testWithSG
  http_access deny !auth
  ...

Note that this does not involve the url_rewrite_* API. You can drop that
entirely. Unless you want some traffic to still be redirected/rewritten
by SG. In which case you need url_rewrite_access to define which traffic
SG applies to.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...