On 12/03/2021 7:13, Amos Jeffries wrote:
On 12/03/21 3:56 am, Ben Goz wrote:
On 11/03/2021 16:44, Amos Jeffries wrote:
On 12/03/21 3:37 am, Ben Goz wrote:
On 11/03/2021 15:50, Antony Stone wrote:
On Thursday 11 March 2021 at 14:41:11, Ben Goz wrote:
Tell about your network setup and what you are trying to achieve -
we might be
able to suggest solutions.
End users machine using some client application while their system
proxy points to the above squid proxy server.
Please also provide your squid.conf settings so we can check they
achieve your described need(s) properly. At least any lines starting
with the http_access, auth_param, acl, or external_acl_type
directives would be most useful.
Do not forget to anonymize sensitive details before posting. PLEASE
do so in a way that we can tell whether a hidden value was correct
for its usage, and whether any two hidden values are the same or
different.
It's fork of default configuration with some changes.
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
#http_access deny !Safe_ports
Please restore this security protection. It prevents malware abusing
HTTP's similarity to certain other protocols to perform attacks
*through* your proxy.
The default Safe_ports list allows all ports not known to be
dangerous, and all ports above 1024. So it should not have any
noticeable effect on to any legitimate HTTP proxy clients - unless
there is something really dodgy happening on your network. If you
actually want something like that happening, then add the appropriate
port for that activity to the Safe_ports list. Do not drop the
protection completely.
# Deny CONNECT to other than secure SSL ports
#http_access deny CONNECT !SSL_ports
The same can be said about this. Except this line is arguably even
more important. CONNECT tunnels can literally contain anything. Let
clients do things by adding ports to SSL_Ports list as-needed.
Please do some due-diligence checks before that to verify you are okay
with all the uses of that port. Even ones you think the client
themselves is unlikely to be doing. Once you open a port here *anyone*
with access to the proxy can do whatever they like on that port.
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
auth_param basic program /usr/local/squid/libexec/basic_ncsa_auth
/usr/local/squid/etc/passwd
auth_param basic realm proxy
I notice you are missing a line setting the login TTL value.
There is currently a potential problem in the default which means
Squid encounters situations where the credentials are seen as still
going to be valid for hours so do not get refreshed. But garbage
collection decides to throw them away.
This may not be related to the complaints you reported getting. But
should be fixed to ensure the side effect of having to re-authenticate
users does not complicate your actual problem.
"auth_param basic credentialsttl ..." sets how often Squid will
re-check your auth system to confirm the users is still allowed.
Default: 2 hr.
"authenticate_ttl ..." sets how often Squid will try to throw away all
info about old clients being logged in. Default: 1 hr.
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
I recommend a slightly different form of check for logins. It prevents
the situation where a user trying the wrong credentials gets a loop of
popups.
Like so:
http_access deny !authenticated
That guarantees they are not asked to login again if their software
agent (aka browser, or such) provided or can locate the proper
credentials.
After that you can add other rules about what the logged in users can
do. eg allow them to do whatever they want. Like so:
http_access allow all
Can I configure squid authentication TTL per only source IP and ignores
other parameters so authentication will be requested only once in TTL
for all the sessions?
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
