per-acl error messages not working

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

per-acl error messages not working

Michael W. Lucas

Hi,

I'm obviously doing something wrong with my ACLs, and would appreciate
any advice.  

We require authentication via radius, and we only allow each user to
be logged on from workstation at a time.  Anyone logged on to a server
can access the Internet from multiple machines (i.e., for maintenance
periods where one admin might be running updates on several boxes
simultaneously).

If a user logs in from too many machines, or if he enters a wrong
password, he gets the error message in ERR_NO_SHARING.  I would expect
a user who signs on too often to get ERR_NO_SHARING and a user who
fails to authenticate to get the default ERR_CACHE_ACCESS_DENIED.

Instead, all users get ERR_NO_SHARING.  I would like to give the users
a useful error message, but obviously I am missing something.

The ACL portion of my squid.conf follows.

Thanks for any suggestions,
==ml

--

error_directory /etc/squid/errors

auth_param basic program /usr/local/squid/libexec/squid_radius_auth_new -f /etc/squid/squid_radius_auth.conf

auth_param basic children 5
auth_param basic realm 'Web'

#confirm our login is still good via Radius at this interval;
#this is not the time between password query popups at user's browser!
authenticate_ttl 15 minutes

acl all src 0.0.0.0/0.0.0.0 # all sources

acl manager proto cache_object # internal cache manager

acl localhost src 127.0.0.1/255.255.255.255  # This computer's loopback source
acl to_localhost dst 127.0.0.0/8 # This computer's loopback destinations

acl PURGE method PURGE

acl Safe_ports port 80 # http
acl Safe_ports port 20 # ftp
acl Safe_ports port 21 # ftp-data
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl radius_auth proxy_auth REQUIRED

acl no_auth_src src "/etc/squid/noauth_src.list"
acl no_auth_dst dst "/etc/squid/noauth_dst.list"
acl no_auth_hostdst dstdomain "/etc/squid/noauth_hostdst"

#Don't share password
authenticate_ip_ttl 60 seconds
acl noPwSharing max_user_ip 1
deny_info ERR_NO_SHARING noPwSharing
#allow server networks more leeway for administration
acl serverPwSharing max_user_ip 5
deny_info ERR_NO_SHARING serverPwSharing

#Our internal networks; one for source, one for dest

acl our_networks src 10.0.0.0/8 127.0.0.0/8
acl our_servers dst 10.0.0.0/8 127.0.0.0/8

acl server_network src 10.184.1.0/24

acl our_domains dstdomain internal.com

acl CONNECT method CONNECT # Http Connect method

#Only the local machine can see cache manager
http_access allow manager localhost
http_access deny manager

#management acl
http_access allow PURGE localhost
http_access deny PURGE

#block connections to unsafe ports
http_access deny !Safe_ports

#Allow everyone through to some sites without auth
http_access allow no_auth_dst
http_access allow no_auth_src
http_access allow no_auth_hostdst

#Everyone can access internal servers
always_direct allow our_domains

#servers can have one user connect multiple times
http_access allow server_network radius_auth

#clients may only log in from one IP at a time.
http_access deny noPwSharing

#Clients must auth to radius to leave our network
http_access allow our_networks radius_auth  

#everyone else is denied access
http_access deny all

#everyone can reply
http_reply_access allow all

#nobody may use this as a peer proxy
icp_access deny all




--
Michael W. Lucas [hidden email], [hidden email]
                http://www.BlackHelicopters.org/~mwlucas/
      Coming Soon: "Absolute FreeBSD" -- http://www.AbsoluteFreeBSD.com
On 5/4/2007, the TSA kept 3 pairs of my soiled undies "for security reasons."
Reply | Threaded
Open this post in threaded view
|

Re: per-acl error messages not working

Norman Noah
As far as i know error msg should put below after all rules ...
Reply | Threaded
Open this post in threaded view
|

Re: per-acl error messages not working

Henrik Nordström
In reply to this post by Michael W. Lucas
On ons, 2007-07-25 at 13:31 -0400, Michael W. Lucas wrote:

> If a user logs in from too many machines, or if he enters a wrong
> password, he gets the error message in ERR_NO_SHARING.  I would expect
> a user who signs on too often to get ERR_NO_SHARING and a user who
> fails to authenticate to get the default ERR_CACHE_ACCESS_DENIED.
>
> Instead, all users get ERR_NO_SHARING.  I would like to give the users
> a useful error message, but obviously I am missing something.

> #clients may only log in from one IP at a time.
> http_access deny noPwSharing

change the above to

http_access deny our_networks radius_auth noPwSharing

and the results will be what you expect, making unauthenticated users be
denied by the radius_auth acl, and authenticated users using too many IP
addresses denied by the noPwSharing ACL.

I also added the out_networks acl to deny probing of the user
passwords.. you probably want to do this on the no_auth_... lines as
well.

Regards
Henrik