Re: [squid-users] Problem with transparent authentication and restricted pages

From: Gonzalo Morera <gmorera_at_novell.com>
Date: Mon, 31 Jan 2011 17:35:02 +0000

Thanks Chad

I'll follow this instructions

Gonzalo

>>> "Chad Naugle" <Chad.Naugle_at_travimp.com> 31-01-2011 >>>
You need to move all of your "deny" lines *before* your "allow" lines,
otherwise you will get the popup.

FYI, if you plan on using eDirectory 8.8 based IP->User, I wrote a
C-based program for that, which is bundled with Squid 3.2-BETA, instead
of using a perl script. You can probably just build 3.2.X without
installing it and copy the executable to /usr/sbin, and use that for the
blind auth.

>>> "Gonzalo Morera" <gmorera_at_novell.com> 1/31/2011 11:16 AM >>>
Hi all

After solving the squid_ldap_group issue, i'm still facing a little one
with users that are transparently authenticate thru a pl script against
edirectory.

I've got this line:

external_acl_type IPUser ttl=7200 %SRC
/etc/squid/squid_edir_iplookup.pl
(IPUser method)

squid_edir_iplookup.pl is for users that have the novell client
installed. Thru this script, they network address is found and
authenticate without being prompted. This works fine as long as they do
not hit a forbidden page.
And here is my problem. When they hit a forbidden page, instead to get
the 403 forbidden, they prompt for authentication. If then enter a
username/password (they share passwords :-( ) with rights, they can go
to the page.
So my goal is that when this users are hitting a forbidden page, the
forbidden page comes and not the auth page.

I can not find out how to do so or if the order of the rules are wrong

Here is my squid.conf. Let me know if anything else is needed:

===snip====

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80# http
acl Safe_ports port 21# ftp
acl Safe_ports port 443 563# https, snews
acl Safe_ports port 70# gopher
acl Safe_ports port 210# wais
acl Safe_ports port 1025-65535# unregistered ports
acl Safe_ports port 280# http-mgmt
acl Safe_ports port 488# gss-http
acl Safe_ports port 591# filemaker
acl Safe_ports port 777# multiling http
acl CONNECT method CONNECT

#Mis reglas
#acl redlocal src 192.168.0.0/255.255.255.0
#acl redsynergy proxy_auth REQUIRED
#acl redsynergy proxy_auth REQUIRED redlocal
#
# Hosts that are not required to authenticate
acl Auth_Not_Required src "/etc/squid/auth_not_required.txt"

# Domains accessible to all PC's
#acl Open_Domains dstdomain "/etc/squid/open_domains.txt"
acl Open_Domains url_regex -i "/etc/squid/open_domains.txt"

# Hosts & domains that are denied to restricted users
#acl Banned_Hosts dst "/etc/squid/banned_hosts.txt"
#acl Banned_Domains dstdomain "/etc/squid/banned_domains.txt"
acl Banned_URLs url_regex -i "/etc/squid/banned_urls.txt"
#acl Banned_Extensions url_regex "/etc/squid/banned_extensions.txt"

# Seemless automatic access based on IP address
# Access through the "IP User" external helper
acl Full_Access external IPUser internet_nr
acl Restricted_Access external IPUser internet_r

# Access to users prompted with username/password dialogue
# Full access
acl lab_Full external ldap_group internet_nr

# Restricted access
acl lab_Restricted external ldap_group internet_r

# TAG: http_access
#Allowing or Denying access based on defined access lists
#
#Access to the HTTP port:
#http_access allow|deny [!]aclname ...
#
#NOTE on default values:
#
#If there are no "access" lines present, the default is to deny
#the request.
#
#If none of the "access" lines cause a match, the default is the
#opposite of the last line in the list. If the last line was
#deny, the default is allow. Conversely, if the last line
#is allow, the default will be deny. For these reasons, it is a
#good idea to have an "deny all" or "allow all" entry at the end
#of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect
innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Domains free to all users without needing to authenticate.
http_access allow Open_Domains
# IP addresses of hosts that don?t need to authenticate (usually
automation hosts #performing automated downloads and without a Novell
client.
http_access allow Auth_Not_Required
# Let users with full Internet access discovered by the IPUser method
go anywhere.
http_access allow Full_Access

# Let users with restricted Internet access discovered by the IPUser
method go #anywhere except for the ban list

http_access allow Restricted_Access !Banned_URLs

# If the IPUser method fails then we need to revert to
username/password #authentication
# Let users with full access who entered username/password go anywhere
http_access allow lab_Full
# Ban list again
#http_access deny Banned_Hosts
#http_access deny Banned_Domains
http_access deny Banned_URLs
#http_access deny Banned_Extensions
# Let users with restricted access who entered username/password go
anywhere (that # hasn?t been already excluded in the ban list).
http_access allow lab_Restricted
#
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# TAG: http_reply_access
# Allow replies to client requests. This is complementary to
http_access.
#
# http_reply_access allow|deny [!] aclname ...
#
# NOTE: if there are no access lines present, the default is to
allow
#all replies
#
# If none of the access lines cause a match the opposite of the
# last line will apply. Thus it is good practice to end the
rules
# with an "allow all" or "deny all" entry.
#
#Default:
# http_reply_access allow all
#
#Recommended minimum configuration:
#
# Insert your own rules here.
#
#
# and finally allow by default
http_reply_access allow all

Thanks a lot

Gonzalo

Travel Impressions made the following annotations
-------------------------------------------------------------
"This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use, or distribution of
the information included in this message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments.
Thank you."
Received on Mon Jan 31 2011 - 17:35:13 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST