Sslbump with multiple users and multiple ACLs for each

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Sslbump with multiple users and multiple ACLs for each

stressedtux
Hi guys!

i need a hand to understand if it is possible to configure the proxy a
particular way.

Im needing to configure the proxy to allow at the same time:

- a whitelist of sites that anyone that uses the proxy could use without
login
- and in addition to that i need to have specific ACLs for different
authenticated users.

I need to control both http and https connections to external sites. I can
use sslbump but im having hard time configuring sslbump with proxy_auth, and
on top of that, i need different acl whitelists for different users.

Is this kind of configuration possible? Just trying to understand if im on a
dead road :D

Thanks in advanced!
Tux



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sslbump with multiple users and multiple ACLs for each

Vacheslav
Yeah,  with ufdbguard maybe there are other means ..

-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of stressedtux
Sent: Thursday, January 3, 2019 5:38 PM
To: [hidden email]
Subject: [squid-users] Sslbump with multiple users and multiple ACLs for each

>>
>i need a hand to understand if it is possible to configure the proxy a particular way.

>Im needing to configure the proxy to allow at the same time:

>- a whitelist of sites that anyone that uses the proxy could use without login
- and in addition to that i need to have specific ACLs for different authenticated users.

>I need to control both http and https connections to external sites. I can use sslbump but im having hard time configuring sslbump with proxy_auth, and on top of that, i need different acl whitelists for different users.

>Is this kind of configuration possible? Just trying to understand if im on a dead road :D

Thanks in advanced!
Tux



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sslbump with multiple users and multiple ACLs for each

stressedtux
With ufdbguard is possible to allow one user to have an acl and other user a
different acl? Im trying to completly block access to inet except for what i
should allow.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sslbump with multiple users and multiple ACLs for each

Benjamin E. Nichols
Why are you asking support questions about a commercial product, on the
squid proxy email users list?

On 1/3/2019 9:40 AM, stressedtux wrote:

> With ufdbguard is possible to allow one user to have an acl and other user a
> different acl? Im trying to completly block access to inet except for what i
> should allow.
>
>
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

--
Signed,

Benjamin E. Nichols
Founder & Chief Architect
1-(405)-301-9516
http://www.squidblacklist.org

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sslbump with multiple users and multiple ACLs for each

Antony Stone
On Thursday 03 January 2019 at 16:45:05, Benjamin E. Nichols wrote:

> Why are you asking support questions about a commercial product, on the
> squid proxy email users list?

Maybe because s/he's only just been introduced to ufdbguard by an asnwer from
someone else on this list, and therefore doesn't yet realise there might be
somewhere better to ask further questions about that?

Antony.

> On 1/3/2019 9:40 AM, stressedtux wrote:
> > With ufdbguard is possible to allow one user to have an acl and other
> > user a different acl? Im trying to completly block access to inet except
> > for what i should allow.

--
Angela Merkel arrives at Paris airport.
"Nationality?" asks the immigration officer.
"German," she replies.
"Occupation?"
"No, just here for a summit conference."

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sslbump with multiple users and multiple ACLs for each

stressedtux
In reply to this post by Benjamin E. Nichols
Sorry Guys, im not trying to start a witch hunt, Im just trying to understand
if squid alone or with squidguard or other plugin is able to do this:

- Blacklist all websites
- Allow a whitelist for "user1"
- Allow a different whitelist for "user2" and so on (whitelist3 for user3,
whitelist4 for user4...)
- And have a whitelist for everyone, logged users and not logged ones.
(i have to block all URLs, http and https)

Dont care about paid products... just trying to understand if im on the
correct path or trying to configure squid with these kind of rules is
imposible. Im new at squid and i been triying for 3 days already to
configure it this way with no success.

Thanks in advance
Tux



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sslbump with multiple users and multiple ACLs for each

Alex Rousskov
In reply to this post by stressedtux
On 1/3/19 7:37 AM, stressedtux wrote:

> i need a hand to understand if it is possible to configure the proxy a
> particular way.
>
> Im needing to configure the proxy to allow at the same time:
>
> - a whitelist of sites that anyone that uses the proxy could use without
> login
> - and in addition to that i need to have specific ACLs for different
> authenticated users.
>
> I need to control both http and https connections to external sites. I can
> use sslbump but im having hard time configuring sslbump with proxy_auth, and
> on top of that, i need different acl whitelists for different users.
>
> Is this kind of configuration possible?

Yes, I believe that all of the above is possible in principle. If you
need help with specific configurations/ACLs, I suggest starting with the
simplest set of specific use cases and posting your best configuration
snippet that does not work, while explaining why you think it does not work.

You cannot authenticate HTTP inside bumped connections, but I do not
think you actually need that.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sslbump with multiple users and multiple ACLs for each

Bruno de Paula Larini
In reply to this post by stressedtux
Em 03/01/2019 12:37, stressedtux escreveu:

> Hi guys!
>
> i need a hand to understand if it is possible to configure the proxy a
> particular way.
>
> Im needing to configure the proxy to allow at the same time:
>
> - a whitelist of sites that anyone that uses the proxy could use without
> login
> - and in addition to that i need to have specific ACLs for different
> authenticated users.
>
> I need to control both http and https connections to external sites. I can
> use sslbump but im having hard time configuring sslbump with proxy_auth, and
> on top of that, i need different acl whitelists for different users.
>
> Is this kind of configuration possible? Just trying to understand if im on a
> dead road :D
>
> Thanks in advanced!
> Tux

This link helped me a lot with ssl_bump:
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
To bump intercepted (implicit) https connections, you would need to add
'https_port' with 'intercept' option to another REDIRECTed port,
considering the example from the link. To 'bump' connections you need to
add your self-signed certificate to the clients' trusted store, or else
they will always receive certificate errors in their browsers.

Keep in mind that you don't need to use ssl_bump to block/allow https
sites in most cases (in explicit mode, for example). Bumping is most
useful if you're willing to audit the users' access in a deeper level or
cache web content from https websites.
If setting up the clients is a problem to you, use 'splice' instead. It
won't open the https traffic for you though.

The users and white-list part is a very common setup, there are lots of
examples out there.

-Bruno

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sslbump with multiple users and multiple ACLs for each

Marcus Kool
In reply to this post by Benjamin E. Nichols
For those who do not know it yet: ufdbGuard is free.

ufdbGuard supports user-defined URL databases, 3rd party plain-text URL databases, and a commercial database from www.urlfilterdb.com.

Marcus


On 03/01/2019 13:45, Benjamin E. Nichols wrote:

> Why are you asking support questions about a commercial product, on the squid proxy email users list?
>
> On 1/3/2019 9:40 AM, stressedtux wrote:
>> With ufdbguard is possible to allow one user to have an acl and other user a
>> different acl? Im trying to completly block access to inet except for what i
>> should allow.
>>
>>
>>
>> --
>> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sslbump with multiple users and multiple ACLs for each

Marcus Kool
In reply to this post by stressedtux
ufdbGuard supports blacklists, whitelists, large numbers of whitelists, users and acls.

The configuration file is intuitive and if the Reference Manual does not explain everything, one can also write to the support desk of URLfilterDB or the ufdbguard mailing list.

Just for the record, I am biased since I am the author of ufdbGuard.

Marcus



On 03/01/2019 14:05, stressedtux wrote:

> Sorry Guys, im not trying to start a witch hunt, Im just trying to understand
> if squid alone or with squidguard or other plugin is able to do this:
>
> - Blacklist all websites
> - Allow a whitelist for "user1"
> - Allow a different whitelist for "user2" and so on (whitelist3 for user3,
> whitelist4 for user4...)
> - And have a whitelist for everyone, logged users and not logged ones.
> (i have to block all URLs, http and https)
>
> Dont care about paid products... just trying to understand if im on the
> correct path or trying to configure squid with these kind of rules is
> imposible. Im new at squid and i been triying for 3 days already to
> configure it this way with no success.
>
> Thanks in advance
> Tux
>
>
>
> --
> Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sslbump with multiple users and multiple ACLs for each

stressedtux
In reply to this post by Bruno de Paula Larini
Ty guys. I think i was finally able to solve it.

For those who have the same problem, this was my solution:



#### Proxy Port
http_port 80


################################
#### BEGIN  
################################

##  ACLs localnet
acl localnet src XXX.XXX.0.0/16 # My Network1
acl localnet src XXX.XXX.0.0/16 # My Network2

# ACLs Ports
acl http proto http
acl port_80 port 80
acl port_443 port 443
acl CONNECT method CONNECT


###
auth_param basic program /usr/lib64/squid/basic_ncsa_auth
/etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED

#########

#### Auth parameters
auth_param basic program /usr/lib64/squid/basic_ncsa_auth
/etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED


##### Rules for global users, non-authenticated - "Global Whitelist"
acl global_whitelist dstdomain "/etc/squid/global_whitelist"
http_access allow http localnet port_80 global_whitelist
http_access allow CONNECT localnet port_443 global_whitelist


##### Rule for autenticated user stressedtux
acl login_stressedtux proxy_auth stressedtux
acl sites_stressedtux dstdomain "/etc/squid/sites_stressedtux.txt"
http_access allow http port_80 localnet sites_stressedtux login_stressedtux
http_access allow CONNECT port_443 localnet sites_stressedtux
login_stressedtux


##### Rules for autenticated users of "group" usrgrp1
acl login_usrgrp proxy_auth "/etc/squid/list_users_usrgrp1.txt"
acl sites_usrgrp dstdomain "/etc/squid/sites_usrgrp1.txt"
http_access allow http port_80 localnet sites_usrgrp login_usrgrp
http_access allow CONNECT port_443 localnet sites_usrgrp login_usrgrp

##### Block everything else
http_access deny all


################################
#### END
################################







--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Sslbump with multiple users and multiple ACLs for each

stressedtux
btw it was not necessary sslbump nor a plugin for my case. Ty all!



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users