acl problem

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

acl problem

Alex Gutiérrez Martínez
Hello community, I just installed squid 3.3.8 on ubuntu 14.04. The use
of this software is only providing the Internet to my users. But
something is wrong with my setup. I must clarify that I use as an
authentication system the Ldap plug-in that comes with squid.
The problem is that some acl, although apparently well written, are not
working the way I expect. Specifically those blocking social sites and
prohibited sites.
Here I post my config. Thanks in advance.

#Escondemos la version del squid
httpd_suppress_version_string on
#nombre que queremos que muestre el squid como nuestro host
visible_hostname Hermes
#no permitimos que nada pase por nuestro proxy
via off
forwarded_for off
follow_x_forwarded_for deny all
#puertos que permitiremos
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow localhost manager
http_access deny manager
# Permitimos los puertos inseguros
http_access allow !Safe_ports
http_access allow CONNECT !SSL_ports
debug_options ALL,9
########################################################
#auth ldap#
########################################################
auth_param basic program /usr/lib/squid3/basic_ldap_auth  -P  -R -b
"dc=empresa,dc=cuba,dc=cu" -D cn=ldap,ou=squid,dc=empresa,dc=cuba,dc=cu
-W /etc/squid3/clave.txt -f sAMAccountName=%s -v 3 -s sub -h 172.16.4.10
external_acl_type Group %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -b
"dc=empresa,dc=cuba,dc=cu" -D
cn=cn=ldap,ou=squid,dc=empresa,dc=cuba,dc=cu -W /etc/squid3/clave.txt -f
"(&(objectclass=user)(sAMAccountName=%u)
(memberof=cn=%g,dc=empresa,dc=cuba,dc=cu))" -h 172.16.4.10
#######################################################
#auth que no funcionan y deben arreglarse
##########################################################
auth_param basic children 10
auth_param basic realm hermes.empresa.cuba.cu
auth_param basic credentialsttl 2 hour
acl basic_ldap_auth proxy_auth REQUIRED
http_access allow basic_ldap_auth
#http_access deny all
########################################################
#restricciones selectivas#
########################################################
acl dmz src 172.16.4.0/27
acl navegacion src 192.168.9.0/24
acl full external Group InternetFull
acl limitado external Group InternetLimitado
acl sociales dstdomain -n "/etc/squid3/bloqueo/sociales"
acl extensiones urlpath_regex -i "/etc/squid3/bloqueo/listaextensiones"
http_access allow full sociales
http_access allow full limitado navegacion
http_access allow full dmz
########################################################
#restricciones obligadas#
########################################################
#acl blacklist url_regex -i "/etc/squid3/listanegra"
#http_access deny blacklist
acl bl7 dstdomain -n "/etc/squid3/bloqueo/correos"
http_access allow full !limitado bl7
acl bl1 url_regex -i "/etc/squid3/bloqueo/porno"
http_access deny bl1
acl bl2 url_regex -i "/etc/squid3/bloqueo/android"
http_access deny bl2
acl bl3 url_regex -i "/etc/squid3/bloqueo/prox1"
http_access deny bl3
acl bl4 url_regex -i "/etc/squid3/bloqueo/prox2"
http_access deny bl4
acl bl5 url_regex -i "/etc/squid3/bloqueo/prox3"
http_access deny bl5
acl bl6 url_regex -i "/etc/squid3/bloqueo/prox4"
http_access deny bl6
#acl ladmin src "/etc/squid3/ladmin"
http_access deny all
#########################################################################
#proxy_padre #
#########################################################################
cache_peer 172.16.1.24 parent 8000 0
#nunca permitimos conexiones directas, siempre a traves del proxy
never_direct allow all
#######################################################################
# puerto en que el proxy nos escuchara
http_port 3128
#Establecemos la cache
###############################################################################
#Aqui creo una cache de 3GB, el archivo más grande que dejo cachear es
de 1GB #
#la memoria máxima que le asigno al squid es de 300 MB #
#Este espacio para la cache es muy pequeño, para las necesidades
básicas funciona correctamente#
#Recomiendo cambiarlo si tienen una pc con recursos, la que yo uso es
muy antigua #
###############################################################################
#maximum_object_size 100 MB
cache_dir aufs /var/cache/squid3 1024000 16 256
cache_mem 128 MB
cache_store_log /var/cache/squid3/cache_store.log
coredump_dir /var/cache/squid3/dump
#minimum_expiry_time 600 seconds
############################
client_db off
offline_mode off
cache_swap_low 5
cache_swap_high 10
cache_replacement_policy heap GDSF
maximum_object_size_in_memory 256 KB
chunked_request_body_max_size 4096 KB
half_closed_clients off
quick_abort_min 2 KB
############################
# establecemos los archivos de volcado en /var/cache/squid3/
coredump_dir /var/cache/squid3/
###############################################################################
#Establecemos los patrones de refrescamiento de la cache #
#patron de refrescamiento -- tipo de archivo -- tiempo del objeto -- %de
refrescamiento -- tiempo #
#1440 minutos equivalen a 24 horas #
###############################################################################
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i .(gif|png|jpg|jpeg|ico)$ 10080 20% 43200
override-expire ignore-no-store ignore-private
refresh_pattern -i .(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 20%
432000 override-expire ignore-no-store ignore-private
#refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
max_filedescriptors 3200
##cuanto el squid intenta cachear en mi nombre
read_ahead_gap 256 KB
#################
#sqstat
#################
#acl manager proto cache_object
# replace 10.0.0.1 with your webserver IP
acl webserver src 172.16.4.25/27
http_access allow manager webserver
http_access allow localhost manager
http_access deny manager
###############################################################################
#Delay#
###############################################################################
client_delay_initial_bucket_level 60
delay_initial_bucket_level 75
delay_pools 2
memory_pools off

#Canal 1 extensiones.
delay_class 1 2
delay_parameters 1 16384/32768 8192/16384
delay_access 1 allow sociales extensiones
delay_access 1 deny all

#Canal 2 para usuarios.
delay_class 2 2
delay_parameters 2 65536/65536 32768/32768
delay_access 2 allow navegacion
delay_access 2 deny all

--

Saludos Cordiales

Lic. Alex Gutiérrez Martínez



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: acl problem

Amos Jeffries
Administrator
On 30/08/17 03:12, Alex Gutiérrez Martínez wrote:
> Hello community, I just installed squid 3.3.8 on ubuntu 14.04. The use
> of this software is only providing the Internet to my users. But
> something is wrong with my setup. I must clarify that I use as an
> authentication system the Ldap plug-in that comes with squid.
> The problem is that some acl, although apparently well written, are not
> working the way I expect. Specifically those blocking social sites and
> prohibited sites.

Ah, there are no rules blocking social and advertising sites.
You have some rules *allowing* access to various groups, then some
blanket denial of everything else.

The problem is actually your allow rule not doing what you seem to
expect of them. Specifically the first one.

...
> acl basic_ldap_auth proxy_auth REQUIRED
> http_access allow basic_ldap_auth

Anyone who can login is allowed to use this proxy. End of story for
authenticated users.

Note that the "REQUIRED" value in the ACL does not mean proxy access
requires credentials. It means that the ACL will non-match unless a
valid login is given. The "allow" action in turn then means a non-match
simply skips that line.

Anyone who sends invalid credentials to the proxy _will_ fly straight
past this first access control without being challenged, anyone lacking
credentials entirely *might* be challenged to supply some depending on
what ACL types your later rules use.


Overall "allow" is a very unreliable way to do authentication security.
Instead you should start with denying clients who cannot supply valid
logins. Like so:

   http_access deny !basic_ldap_auth

... then do the group checks etc which rely on those credentials.


> #http_access deny all
> ########################################################
> #restricciones selectivas#
> ########################################################
> acl dmz src 172.16.4.0/27
> acl navegacion src 192.168.9.0/24
> acl full external Group InternetFull
> acl limitado external Group InternetLimitado
> acl sociales dstdomain -n "/etc/squid3/bloqueo/sociales"
> acl extensiones urlpath_regex -i "/etc/squid3/bloqueo/listaextensiones"

... but no valid credentials means no group. These cannot match right
now and so get skipped.

While it may have appeared that these allow lines were working, it was
in fact the earlier "allow basic_ldap_auth" line letting users in the
group "full" (and any other group) through.


> http_access allow full sociales
> http_access allow full limitado navegacion
> http_access allow full dmz
> ########################################################
> #restricciones obligadas#
> ########################################################
> #acl blacklist url_regex -i "/etc/squid3/listanegra"
> #http_access deny blacklist
> acl bl7 dstdomain -n "/etc/squid3/bloqueo/correos"
> http_access allow full !limitado bl7


Here you have a bunch of stuff being denied based on group. BUT, the
last thing is "deny all" with no possibility of allow from here on down.
So all these slow checking group and regex ACLs are pretty pointless,
even if the group checks could work with invalid logins.

If any request reaches this spot of the access list it is going to be
denied. So "deny all" is sufficient, no need to do all the following
complex stuff first.


> acl bl1 url_regex -i "/etc/squid3/bloqueo/porno"
> http_access deny bl1
> acl bl2 url_regex -i "/etc/squid3/bloqueo/android"
> http_access deny bl2
> acl bl3 url_regex -i "/etc/squid3/bloqueo/prox1"
> http_access deny bl3
> acl bl4 url_regex -i "/etc/squid3/bloqueo/prox2"
> http_access deny bl4
> acl bl5 url_regex -i "/etc/squid3/bloqueo/prox3"
> http_access deny bl5
> acl bl6 url_regex -i "/etc/squid3/bloqueo/prox4"
> http_access deny bl6
> #acl ladmin src "/etc/squid3/ladmin"
> http_access deny all


HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users