Re: [squid-users] Re: Re[squid-users] cording username for secure connection

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 03 May 2009 18:10:01 +1200

molybtek wrote:
>
>
> Chris Robertson-2 wrote:
>> molybtek wrote:
>>> We have squid running as an authenticating proxy using squid_ldap_auth.
>>> In the access log, for normal connections, it records the username for
>>> most
>>> log entries.
>>> However, for secure connections, the username field is blank. Are there
>>> any
>>> way to get Squid to record the username for those secure connections as
>>> well?
>>>
>> If you require authentication for CONNECT requests, Squid will populate
>> the log with the credentials used. Post your ACLs and http_access lines
>> and we can help figure out where the mistake lies...
>>
>> Chris
>>
>>
>
> The following are the acls and http_access lines in the squid.conf
>
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
>
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
>
> #Recommended minimum configuration:
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl localnets src 172.23.0.0/16
>
> # SNMP ACLs
> acl snmppublic snmp_community squidcommunity
> snmp_port 3401
> snmp_access allow snmppublic all
>
> # ACL for Microsoft product activation addresses
> acl ms_activate dstdomain productactivation.one.microsoft.com
> acl ms_activate dstdomain wustat.windows.com
> acl ms_activate2 dstdomain .microsoft.com
>
> # Microsoft Updates
> acl ms_update dstdomain .windowsupdate.microsoft.com:443
> acl ms_update dstdomain .windowsupdate.microsoft.com:80
> acl ms_update dstdomain .update.microsoft.com:80
> acl ms_update dstdomain .windowsupdate.com:80
> acl ms_update dstdomain download.microsoft.com:80
> acl ms_update dstdomain ntservicepack.microsoft.com:80
> acl ms_update dstdomain wustat.windows.com:80
> acl ms_update dstdomain .update.microsoft.com:443

":80" and ":443" are not part of a domain name. The above will not match.
Luckily your ms_activate2 ACL covers all these domains on its own.

>
> # Skype
> acl numeric_IPs url_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+:443
> acl Skype_UA browser ^skype^
>
> acl SSL_ports port 441 442 443 563 10000
> acl FTP_ports port 21 # FTP
> acl Messengers port 5050 # Yahoo
> acl Messengers port 5190 # AOL
> acl Messengers port 1863 # MSN
> acl Messengers port 5222 # Gtalk
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 441-443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 10000 # Webmin
>
> acl CONNECT method CONNECT
> acl require_auth proxy_auth REQUIRED
> acl ms_activateVista dstdomain go.microsoft.com
> acl ms_activateVista dstdomain sls.microsoft.com
> acl ms_activateVista dstdomain sls.microsoft.com:443
> acl ms_activateVista dstdomain crl.microsoft.com/pki/crl/products
> acl educationsite_allow dstdomain ce6hosting.blackboard.com/webct

same problem again. "/webct" and "/pki/crl/products" and ":443" are not
parts of domains. This may be causing issues for the domain
ce6hosting.blackboard.com

> acl educationsite_allow dstdomain 2007.pglms.com
> http_access allow ms_activate2
> http_access allow ms_activate
> http_access allow ms_activateVista
> http_access allow ms_update
> http_access allow educationsite_allow
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access allow CONNECT Messengers
> http_access allow CONNECT Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow require_auth
> http_access deny all
>

Well, since you allow all those updates, and private domain accesses,
and CONNECT requests already before any authentication is asked for you
wont get any auth details for most of those requests (sometimes you will
get the by chance luck).

Here is a simplified set of http_access which do the same thing but add
auth requirements on CONNECT:

  acl ms_activate dstdomain wustat.windows.com .windowsupdate.com
  acl ms_activate dstdomain .microsoft.com

  http_access allow ms_activate
  http_access allow educationsite_allow

  http_access allow manager localhost
  http_access deny manager
  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports !Messengers
  http_access allow require_auth
  http_access deny all

PS. If you did want the messengers to get through without auth details
beign logged then add this back in just above the require_auth.
   http_access allow CONNECT Messengers

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
   Current Beta Squid 3.1.0.7
Received on Sun May 03 2009 - 06:10:11 MDT

This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 12:00:01 MDT