problem with url_rewrite_access/redirector_access and proxy_auth ACLs

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

problem with url_rewrite_access/redirector_access and proxy_auth ACLs

Anthony Bray
I'm trying to use squid with squidGuard as a content filter. We
currently have this running on an older version (2.5.STABLE2) and I am
trying to redo the machine with newer hardware and OS/Squid. The cache
is working fine, but for some reason the redirector is being skipped.

Basically, what I want to happen (and that currently happens now) is:

users connect to proxy via filter.domain.com:3128

1) squid sends users to redirector
2) if squidGuard matches the URL against it's blacklists, return a
redirect to a web page that prompts for proxy authentication or
reporting an error
3) if a valid proxy username/pass is supplied, override the filter and go on

squidGuard itself works fine, if I feed it URL's manually it returns
blank or the redirect URL. If I comment out the rewrite_access line that
checks for authentication and bypasses the redirector it catches the
filter OK, but since it never checks that you are already authed it
doesn't let you through after entering your override credentials (it
just brings the "you've been blocked" page again and again). The auth
part itself seems to work.

What I think is happening is in the redirector/url_rewrite_access line
that checks for source network and against the proxy_auth REQURIED acl,
it is matching proxy_auth even though it shouldn't (since no credentials
were asked for/provided). Since the request is from our network and the
proxy auth is matching (though it shouldn't), access to the redirector
is denied and squidGuard is bypassed.

I have tried both newer squid 2.5 and 2.6.  No firewall is active on the
system running squid.

I turned on some verbose logging, the output from the relevant
url_rewrite_access check is below.

Thanks for any help you can give me

Anthony
[hidden email]


Relevant portions of squid.conf:

    # correct auth_param basic stuff way up above

    # normal default squid acl's (localhost, all, safe_ports, etc) are here.

    # management network is only used for backups and the like,
    # don't allow any proxy traffic on it
    acl to_mgmtnetwork dst 192.168.0.0/24
    http_access deny to_localhost
    http_access deny to_mgmtnetwork

    acl inetinterface src 10.0.192.0/18
    acl localdestination dst 10.0.192.0/18
    acl proxyauthed proxy_auth REQUIRED
    acl alwaysoverride proxy_auth lovesporn
    acl alwaysfiltered proxy_auth hatesporn
    acl our_networks src 10.0.192.0/18
    # used for error reporting and override cookie placement
    # I don't think the proxyseed entry is needed anymore, I
    # think that is left over from an older method.
    acl proxyseed dstdomain www2.domain.com
    acl proxyerrorreport dstdomain www.domain.com

    # these are changed to url_rewrite_access in squid 2.6
    redirector_access deny localhost
    redirector_access deny localdestination
    # if they're reporting an error don't redirect
    redirector_access deny proxyerrorreport
    redirector_access deny alwaysoverride
    redirector_access allow alwaysfiltered
    # This is supposed to let anybody from outside that is
    # already authenticated around the redirector
    # this is the line that isn't working in newer squid
    # changing this to checking only for auth state and
    # ignoring the source address doesn't work either
    redirector_access deny inetinterface proxyauthed
    # everyone else gets filtered
    redirector_access allow all

    # in squid 2.6 I changed these to http_access2 so they run
    # after the redirector.  I also tried leaving them as they
    # are here
    http_access allow localhost
    # commenting this out makes everyone authenticate
    # before using the proxy at all, which is not what
    # we want
    http_access allow our_networks !proxyseed
    http_access allow proxyauthed

verbose debug log output during the relevant test

    2007/05/17 10:33:23| aclCheck: checking 'url_rewrite_access deny
proxyauthed our_networks'
    2007/05/17 10:33:23| aclMatchAclList: checking proxyauthed
    2007/05/17 10:33:23| aclMatchAcl: checking 'acl proxyauthed
proxy_auth REQUIRED'
    2007/05/17 10:33:23| authenticateValidateUser: Validating Auth_user
request '(nil)'.
    2007/05/17 10:33:23| authenticateValidateUser: Auth_user_request was
NULL!
    2007/05/17 10:33:23| authenticateAuthenticate: broken auth or no
proxy_auth header. Requesting auth header.
    2007/05/17 10:33:23| aclMatchAcl: returning 0 sending authentication
challenge.
    2007/05/17 10:33:23| aclMatchAclList: no match, returning 0
    2007/05/17 10:33:23| aclCheck: requiring Proxy Auth header.
    2007/05/17 10:33:23| aclCheck: match found, returning 2
    2007/05/17 10:33:23| aclCheckCallback: answer=2
Reply | Threaded
Open this post in threaded view
|

Re: problem with url_rewrite_access/redirector_access and proxy_auth ACLs

Henrik Nordström
tor 2007-05-17 klockan 15:12 -0400 skrev Anthony Bray:

> 1) squid sends users to redirector
> 2) if squidGuard matches the URL against it's blacklists, return a
> redirect to a web page that prompts for proxy authentication or
> reporting an error
> 3) if a valid proxy username/pass is supplied, override the filter and go on

Hmm.. not entirely sure such setup would work.. depends heavily on
browser behavior assumptions.

> squidGuard itself works fine, if I feed it URL's manually it returns
> blank or the redirect URL. If I comment out the rewrite_access line that
> checks for authentication and bypasses the redirector it catches the
> filter OK, but since it never checks that you are already authed it
> doesn't let you through after entering your override credentials (it
> just brings the "you've been blocked" page again and again). The auth
> part itself seems to work.

Squid can't check authentication reliably in url_rewrite_access. Not
sure what will happen if you try, but I would not be surprised if your
observations is correct (not authenticated -> deny the use of the
url_rewrite_program).

Regards
Henrik

signature.asc (316 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: problem with url_rewrite_access/redirector_access and proxy_auth ACLs

Henrik Nordström
tor 2007-05-17 klockan 22:22 +0200 skrev Henrik Nordstrom:

> Squid can't check authentication reliably in url_rewrite_access. Not
> sure what will happen if you try, but I would not be surprised if your
> observations is correct (not authenticated -> deny the use of the
> url_rewrite_program).

Forgot to say that if you want to run a setup like this then you need to
use Squid ACLs instead of SquidGuard.

Regards
Henrik

signature.asc (316 bytes) Download Attachment