[squid-users] Inbound Squid Firewall Proxy

From: Dave Stoddard <dgs@dont-contact.us>
Date: Mon, 23 Jun 2003 21:00:14 -0400

        I have been asked to setup a proxy that will provide a
        measure of security between the Internet and a web server
        that is running inside a protected network. The idea is
        as follows:

        1) Requests come into the Squid proxy from an Internet user
           to access a timesheet application. If the user has not
           logged in, Squid asks the user to login before continuing
           (possibly via ncsa_auth).

        2) Once the user has successfully authenticated, Squid
           forwards traffic between the user on the Internet and the
           web server running a timesheet application on an internal
           network.

        The purpose of the Squid proxy is to serve as a guardian
        between the internal web application server and the external
        Internet. If they can't successfully authenticate to the Squid
        proxy, the internal web server will never see them.

        I am running Squid 2.5 STABLE3 on a RedHat Linux 9 server.
        I have configured the Squid prozy to forward to a specific
        IP address once authentication succeeds. I am able to run
        ncsa_auth at the shell and get it to authenticate a userid
        and password combination successfully. However, when I try
        to run this on the Squid server, it passes the command through
        to the server without any attempt to authenticate. This is
        a copy of the config I am using (all comments removed):

debug_options ALL,1 33,2 28,9
http_port 10.0.100.31:3128
http_port 10.0.100.31:80
icp_port 0
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log /usr/local/squid/var/logs/store.log
mime_table /usr/local/squid/etc/mime.conf

auth_param basic program /usr/local/squid/bin/ncsa_auth
/usr/local/squid/etc/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl foo proxy_auth REQUIRED
acl all src 0/0
http_access allow foo
http_access deny all

tcp_outgoing_address 172.16.80.2

cache_effective_user proxy
cache_effective_group proxy
cachemgr_passwd disable all

        From everything I have read, this should accomplish what I
        am trying to do. Nonetheless, it does not authenticate.
        With comprehensive debugging turned on, I get the following
        results:

2003/06/18 17:32:25| aclMatchAcl: checking 'acl all src 0/0'
2003/06/18 17:32:25| aclMatchIp: '255.255.255.255' found
2003/06/18 17:32:25| aclMatchAclList: returning 1
2003/06/18 17:32:25| aclCheckFast: list: 0x8207518
2003/06/18 17:32:25| aclMatchAclList: checking all
2003/06/18 17:32:25| aclMatchAcl: checking 'acl all src 0/0'
2003/06/18 17:32:25| aclMatchIp: '255.255.255.255' found
2003/06/18 17:32:25| aclMatchAclList: returning 1
2003/06/18 17:32:25| The reply for GET / is ALLOWED, because it matched 'all'

        If you notice the last line, it says the GET is allowed
        because it matched "all". But if you look at the config,
        the only match for all I see is an "http_access deny all"
        statement. I have a couple of questions:

        1) Could this behavior be a bug? If so, what version of
           Squid should I run?

        2) Does anyone have a Squid config that will accomplish
           what I am trying to do?

        3) Or maybe I am using the wrong tool for the job -- does
           anyone have a suggestion for something that will do what
           I am trying to accomplish?

        I have configured Squid plenty of times as a cacheing proxy
        server with good success, but trying to use it as a firewall
        proxy has my a little puzzeled right now. Thanks in advance
        for any help.

        Dave
Received on Mon Jun 23 2003 - 19:00:27 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:35 MST