Re: [squid-users] Re: Re: Re[squid-users] cording username for secure connection from Amos Jeffries on 2009-05-03 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 4 May 2009 13:48:22 +1200 (NZST)

>
>
>
> Amos Jeffries-2 wrote:
>>
>> Well, since you allow all those updates, and private domain accesses,
>> and CONNECT requests already before any authentication is asked for you
>> wont get any auth details for most of those requests (sometimes you will
>> get the by chance luck).
>>
>> Here is a simplified set of http_access which do the same thing but add
>> auth requirements on CONNECT:
>>
>>
>> acl ms_activate dstdomain wustat.windows.com .windowsupdate.com
>> acl ms_activate dstdomain .microsoft.com
>>
>> http_access allow ms_activate
>> http_access allow educationsite_allow
>>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports !Messengers
>> http_access allow require_auth
>> http_access deny all
>>
>>
>> PS. If you did want the messengers to get through without auth details
>> beign logged then add this back in just above the require_auth.
>> http_access allow CONNECT Messengers
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
>> Current Beta Squid 3.1.0.7
>>
>>
>
> Thanks Amos for helping clear things out - yea we had to allow those
> microsoft updates to go through without authentication because sometimes
> the
> updates fail because it doesn't work behind a firewall:(
>

I've done some experimenting with that for my own clients.
The results I came up with and the list of domains people have found that
is applies to (including the new ones you had) are detailed at:
http://wiki.squid-cache.org/SquidFaq/WindowsUpdate

> Just wondering, from Microsoft's knowledgebase
> http://support.microsoft.com/kb/921471, it lists a few URLs that needs to
> go
> through without authenitcation, so for example, to let
> http://www.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunications.crl
> through without authentication, without having to open the entire
> Microsoft
> site, would I have to use url_regex as
> acl ms_activate url_regex
> ^http://www.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunications.crl
>

That would work though I would split the domain and path for a faster
check on the more common non-match cases. Though the specific domains list
from the wiki is done the long way so as to catch these update domains and
deny stuff like MSDN.

acl ms dstdomain www.microsoft.com
acl mspaths urlpath_regex
^/pki/crl/products/MicrosoftProductSecureCommunications.crl

http_access allow ms mspaths

Amos
Received on Mon May 04 2009 - 01:48:35 MDT

This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 12:00:01 MDT