Dmitrijs Demidovs wrote:
> Hi list.
>
> I have a strange problem with ACLs and http_access rules.
> Our squid are using winbind for NTLM auth. We need to achieve user's auth for https.
>
> Here is a example that makes problems for us:
> =============
> 1) http_access allow CONNECT HTTPS_DOMAINS_BLACKLIST WebVIP
> 2) http_access allow CONNECT Webusers_whitelist_domains Webusers
>
> 3) http_access allow localnetwork CONNECT SSL_ports
>
> 4) http_access allow CONNECT WebVIP
> 5) http_access allow CONNECT Webusers
> =============
>
> - WebVIP - users group from AD
> - Webusers - users group from AD
> - HTTPS_DOMAINS_BLACKLIST - black list for bad addresses
> - Webusers_whitelist_domains - white list for Webusers
>
>
> First two lines works as expected - only users from WebVIP and Webusers can access
> https sites from black/white lists. We can see they user ID's in squid's access.log.
They don't code those policy statement though. To describe the first two
lines accurately remove the word "only" from your statement. Since for
users NOT in those two groups Squid will simply skip past those lines
and check the next one.
>
> If I put last tree lines (4-5) before 3 then I got 407 errors in access.log,
> and no one is able to use https anymore. So there is a problem! That is why we
Oh? I take it your localnetwork users don't have logins at all then?
Thats all 407 means.
> need to use line Nr 3 - it just allows all CONNECT from our IP subnet without auth.
>
> I'm completely lost and frustrated. Why first two lines works and last two do not?
Are the WebVIP or Webusers blocked when trying to get to a site not
black/white-listed? That is the only possible "not working" lines (4)
and (5) have.
Lines (1) and (2) will also request login details (407) from a
localnetwork user if they attempt to contact a black/white-listed site.
> Is there any hint?
Squid processes lines top-down. First to match wins. Your lines only say
allow. Never deny. So people who are not allowed to do one thing will be
tested for permission to do the next etc, etc.
They way I'd write those rules is this:
# stop them nasty ones getting unlimited bypass from security.
0) http_access deny CONNECT !SSL_ports
# "only users from WebVIP ... can access blackwhite listed sites"
# implies: nobody else is allowed to.
1) http_access deny CONNECT HTTPS_DOMAINS_BLACKLIST !WebVIP
2) http_access deny CONNECT Webusers_whitelist_domains !Webusers
# local network users don't have any authentication credentials.
3) http_access allow localnetwork CONNECT
# people who can enter WebVIP and Webuser credentials have wide access.
4) http_access allow CONNECT WebVIP
5) http_access allow CONNECT Webusers
5b) http_access deny CONNECT
>
> And may be some one knows - is there any third party tools to make squid.conf
> analyzing for logical errors? As more as I'm using Squid, as more I want to find some
> tool what will be able to catch logical errors according to squid's design.
> Any hint please?
>
There was one made a year or so ago. I forget how to find it though.
Maybe a post in the mailing list archives about a validator (NP: the one
I wrote way back is dead now).
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.7 Beta testers wanted for 3.2.0.1Received on Tue Aug 31 2010 - 15:09:57 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 01 2010 - 12:00:03 MDT