Re: [squid-users] Squid skipping authentication.

From: Christoph Haas <email@dont-contact.us>
Date: Wed, 3 Aug 2005 17:58:23 +0200

On Wed, Aug 03, 2005 at 10:48:22AM -0300, Rodrigo A B Freire wrote:
> We're facing a problem that seem to be position-related in the ACL.
>
> We have an ACL that block some url-regex words. And another file that
> treat the exceptions:
>
> i.e.: porn file Blocks 'butt'; but the exception file noporn allows
> 'butter'.
>
> If the url contains the words in the exception (i.e.: someone querying
> by butter in Google), the access isn't validated against NTLM
> authentication. Is passing through, without any required authentication.
>
> And we have a third case, that allow Windows Update and some banking
> sites, (that are sensitive to NTLM authentication, due to Java ntlm buggy
> authentication and WU5 issues) passes through, without authentication.
>
> In the squid.conf:
>
> ####################### ACLs
> # The bad words:
> acl porn url_regex "/usr/local/squid/etc/regras/porn"
>
> # The exception for the bad words (these are passing through)
> acl noporn url_regex "/usr/local/squid/etc/regras/noporn"
>
> # Everyone subjected to authentication
> acl AuthorizedUsers proxy_auth REQUIRED
>
> # Block some p2p strings
> acl p2p browser Kazaa KazaaClient Gnutella Gnucleus e2dk BitTorrent
>
> # Allow these without any authentication
> acl bancos dstdomain .caixa.gov.br .bb.com.br .bancobrasil.com.br
> .bancodobrasil.com.br .windowsupdate.com download.microsoft.com
> windowsupdate.microsoft.com

I'm not sure if this will work. "download.microsoft.com" is not a domain
but rather a hostname. It should belong into something like:

acl dst.bancos dst download.microsoft.com

(Put aside that Microsoft is not - yet - a bank.)

> ####################### The http_access section
> http_access allow noporn all
> http_access deny porn all
> http_access deny p2p
> http_access allow all bancos
> http_access allow all AuthorizedUsers
> http_access deny all

The "all" is redundant here. "noporn all" means that it only matches if
both the ACLs match. Since "all" matches always you should omit it.
Otherwise it looks okay. My suggestion though:

http_access deny p2p
http_access deny porn !noporn
http_access allow bancos
http_access deny !AuthorizedUsers

If you like to know which ACLs matches set 'debug_options ALL,1 33,2' in
your squid.conf and run 'squid -k reconfig'. The cache.log should then
tell you why an access is denied.

Regards
 Christoph

-- 
~
~
~
".signature" [Modified] 3 lines --100%--                3,41         All
Received on Wed Aug 03 2005 - 09:58:28 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Sep 01 2005 - 12:00:01 MDT