[squid-users] ACLs and localhost
4 users , 1 machine, with squid running and a GUI Im having problems getting the time-based ACLs sorted. To test it ive added a sat/sun ACL which should allow access between 08:00 and 10:00 Config 1 hepworth emma # cat /etc/squid/squid.conf |grep ^acl acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 22 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT acl andrew proxy_auth REQUIRED acl emma proxy_auth REQUIRED acl QUERY urlpath_regex cgi-bin \? acl apache rep_header Server ^Apache acl weekends time SA 08:00-10:00 acl beforeschool time MTWHF 07:30-09:00 acl afterschool time MTWHF 16:00-20:00 hepworth emma # cat /etc/squid/squid.conf |grep ^http http_port 3128 http_access allow emma weekends http_access allow Safe_ports http_access allow andrew http_access deny localhost http_access deny all it asks me for a login (emma) and then gives access 2008/03/23 16:05:44| aclCheckFast: list: 0x82a7748 2008/03/23 16:05:44| aclMatchAclList: checking all 2008/03/23 16:05:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/23 16:05:44| aclMatchIp: '127.0.0.1' found 2008/03/23 16:05:44| aclMatchAclList: returning 1 2008/03/23 16:05:44| aclCheck: checking 'http_access allow emma weekends' 2008/03/23 16:05:44| aclMatchAclList: checking emma 2008/03/23 16:05:44| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED' 2008/03/23 16:05:44| aclMatchAcl: returning 0 sending authentication challenge. 2008/03/23 16:05:44| aclMatchAclList: no match, returning 0 2008/03/23 16:05:44| aclCheck: requiring Proxy Auth header. 2008/03/23 16:05:44| aclCheck: match found, returning 2 2008/03/23 16:05:44| aclCheckCallback: answer=2 2008/03/23 16:05:44| The request GET http://grolma.no-ip.org/ is DENIED, because it matched 'emma' 2008/03/23 16:05:44| The reply for GET http://grolma.no-ip.org/ is ALLOWED, because it matched 'emma' 2008/03/23 16:05:49| aclCheckFast: list: 0x82a7748 2008/03/23 16:05:49| aclMatchAclList: checking all 2008/03/23 16:05:49| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/23 16:05:49| aclMatchIp: '127.0.0.1' found 2008/03/23 16:05:49| aclMatchAclList: returning 1 2008/03/23 16:05:50| aclCheck: checking 'http_access allow emma weekends' 2008/03/23 16:05:50| aclMatchAclList: checking emma 2008/03/23 16:05:50| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED' 2008/03/23 16:05:50| aclMatchAcl: returning 0 sending credentials to helper. 2008/03/23 16:05:50| aclMatchAclList: no match, returning 0 2008/03/23 16:05:50| aclCheck: checking password via authenticator 2008/03/23 16:05:50| aclCheck: checking 'http_access allow emma weekends' 2008/03/23 16:05:50| aclMatchAclList: checking emma 2008/03/23 16:05:50| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED' 2008/03/23 16:05:50| aclMatchUser: user is emma, case_insensitive is 0 2008/03/23 16:05:50| Top is (nil), Top->data is Unavailable 2008/03/23 16:05:50| aclMatchUser: user REQUIRED and auth-info present. 2008/03/23 16:05:50| aclMatchAclList: checking weekends 2008/03/23 16:05:50| aclMatchAcl: checking 'acl weekends time SA 08:00-10:00' 2008/03/23 16:05:50| aclMatchTime: checking 965 in 480-600, weekbits=41 2008/03/23 16:05:50| aclMatchAclList: no match, returning 0 2008/03/23 16:05:50| aclCheck: checking 'http_access allow Safe_ports' 2008/03/23 16:05:50| aclMatchAclList: checking Safe_ports 2008/03/23 16:05:50| aclMatchAcl: checking 'acl Safe_ports port 80 # http' 2008/03/23 16:05:50| aclMatchAclList: returning 1 2008/03/23 16:05:50| aclCheck: match found, returning 1 2008/03/23 16:05:50| aclCheckCallback: answer=1 2008/03/23 16:05:50| The request GET http://grolma.no-ip.org/ is ALLOWED, because it matched 'Safe_ports' 2008/03/23 16:05:50| aclCheck: checking 'cache deny QUERY' 2008/03/23 16:05:50| aclMatchAclList: checking QUERY 2008/03/23 16:05:50| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?' 2008/03/23 16:05:50| aclMatchRegex: checking '/' 2008/03/23 16:05:50| aclMatchRegex: looking for 'cgi-bin' 2008/03/23 16:05:50| aclMatchRegex: looking for '\?' 2008/03/23 16:05:50| aclMatchAclList: no match, returning 0 2008/03/23 16:05:50| aclCheck: NO match found, returning 1 2008/03/23 16:05:50| aclCheckCallback: answer=1 2008/03/23 16:05:50| clientProcessHit: HIT 2008/03/23 16:05:50| aclCheckFast: list: 0x82a7df8 2008/03/23 16:05:50| aclMatchAclList: checking all 2008/03/23 16:05:50| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/23 16:05:50| aclMatchIp: '127.0.0.1' found 2008/03/23 16:05:50| aclM
Re: [squid-users] ACLs and localhost
paul cooper wrote: 4 users , 1 machine, with squid running and a GUI Im having problems getting the time-based ACLs sorted. To test it ive added a sat/sun ACL which should allow access between 08:00 and 10:00 Your time ACL appears to be working. It's your usage of http_access thats screwing things up. Check the lines saying "request ALLOWED because it matched". Config 1 hepworth emma # cat /etc/squid/squid.conf |grep ^acl acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 22 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT acl andrew proxy_auth REQUIRED acl emma proxy_auth REQUIRED acl QUERY urlpath_regex cgi-bin \? acl apache rep_header Server ^Apache acl weekends time SA 08:00-10:00 acl beforeschool time MTWHF 07:30-09:00 acl afterschool time MTWHF 16:00-20:00 hepworth emma # cat /etc/squid/squid.conf |grep ^http http_port 3128 http_access allow emma weekends - fails on first test sequence - allow request on second sequence http_access allow Safe_ports - allow request on first sequence - never reached on second http_access allow andrew - never reached http_access deny localhost - never reached http_access deny all - never reached. it asks me for a login (emma) and then gives access 2008/03/23 16:05:44| The request GET http://grolma.no-ip.org/ is DENIED, because it matched 'emma' ... bounce for login. 2008/03/23 16:05:50| The request GET http://grolma.no-ip.org/ is ALLOWED, because it matched 'Safe_ports' ... bingo! so i negate the time , and it still gives me access hepworth emma # cat /etc/squid/squid.conf |grep ^http http_port 3128 http_access allow emma !weekends http_access allow Safe_ports http_access allow andrew http_access deny localhost http_access deny all hepworth emma # 2008/03/23 16:10:41| The request GET http://grolma.no-ip.org/ is DENIED, because it matched 'emma' ... bounce for login again. 2008/03/23 16:10:47| The request GET http://grolma.no-ip.org/ is ALLOWED, because it matched 'weekends' ... boing! so i try denying emma and it gives me access without asking for a username hepworth emma # cat /etc/squid/squid.conf |grep ^http http_port 3128 http_access allow Safe_ports - accepts all port 80 requests. http_access allow andrew - never reached http_access deny localhost - never reached http_access deny emma - never reached http_access deny all - never reached hepworth emma # 2008/03/23 16:14:32| The request GET http://grolma.no-ip.org/ is ALLOWED, because it matched 'Safe_ports' .. bingo! on the first line. I think its giving me access from localhost. Ive commented out all the default localhost configs and added http_acess deny localhost but its not stopping it How do i configure this ? Drop the global access to Safe_ports. And I do mean GLOBAL. You have an open-proxy on your hands. It's best to use: http_access deny !Safe_ports to only use Safe_ports for blocking unsafe port usage. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] ACLs and localhost
there is something in all this i really am not understanding.Sorry to be so stupid. AIUI now, it looks at the ACLs and processes them until it finds one that matches, and then it stops matching them and allows access. It will only deny a page when its has processed all the ACLS and NOT found a match. if i have only 1 authenticated user (emma) then the time based ACL ('testing') it denies access as it should . When i add another user access (http_access allow andrew) the browser authentication box comes up , i put in 'emma' and it gives me access. Im restarting squid and clearing the browser cache between all these attempts. hepworth emma # grep ^acl /etc/squid/squid.conf |grep -v 'Safe' acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 acl purge method PURGE acl CONNECT method CONNECT acl andrew proxy_auth REQUIRED acl emma proxy_auth REQUIRED acl QUERY urlpath_regex cgi-bin \? acl apache rep_header Server ^Apache acl testing time MTWHF 07:30-08:00 hepworth emma # grep ^http /etc/squid/squid.conf http_port 3128 http_access allow emma testing http_access deny localhost http_access deny all hepworth emma # 2008/03/24 09:52:44| aclCheckFast: list: 0x82ab370 2008/03/24 09:52:44| aclMatchAclList: checking all 2008/03/24 09:52:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found 2008/03/24 09:52:44| aclMatchAclList: returning 1 2008/03/24 09:52:44| aclCheck: checking 'http_access allow emma testing' 2008/03/24 09:52:44| aclMatchAclList: checking emma 2008/03/24 09:52:44| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED' 2008/03/24 09:52:44| aclMatchUser: user is emma, case_insensitive is 0 2008/03/24 09:52:44| Top is (nil), Top->data is Unavailable 2008/03/24 09:52:44| aclMatchUser: user REQUIRED and auth-info present. 2008/03/24 09:52:44| aclMatchAclList: checking testing 2008/03/24 09:52:44| aclMatchAcl: checking 'acl testing time MTWHF 07:30-08:00' 2008/03/24 09:52:44| aclMatchTime: checking 592 in 450-480, weekbits=3e 2008/03/24 09:52:44| aclMatchAclList: no match, returning 0 2008/03/24 09:52:44| aclCheck: checking 'http_access deny localhost' 2008/03/24 09:52:44| aclMatchAclList: checking localhost 2008/03/24 09:52:44| aclMatchAcl: checking 'acl localhost src 127.0.0.1/255.255.255.255' 2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found 2008/03/24 09:52:44| aclMatchAclList: returning 1 2008/03/24 09:52:44| aclCheck: match found, returning 0 2008/03/24 09:52:44| aclCheckCallback: answer=0 2008/03/24 09:52:44| The request GET http://grolma.no-ip.org/ is DENIED, because it matched 'localhost' 2008/03/24 09:52:44| The reply for GET http://grolma.no-ip.org/ is ALLOWED, because it matched 'localhost' 2008/03/24 09:52:44| aclCheckFast: list: 0x82ab370 2008/03/24 09:52:44| aclMatchAclList: checking all 2008/03/24 09:52:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found 2008/03/24 09:52:44| aclMatchAclList: returning 1 2008/03/24 09:52:44| aclCheck: checking 'http_access allow emma testing' 2008/03/24 09:52:44| aclMatchAclList: checking emma 2008/03/24 09:52:44| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED' 2008/03/24 09:52:44| aclCacheMatchAcl: cache hit on acl '0x82a7cc8' 2008/03/24 09:52:44| aclMatchAclList: checking testing 2008/03/24 09:52:44| aclMatchAcl: checking 'acl testing time MTWHF 07:30-08:00' 2008/03/24 09:52:44| aclMatchTime: checking 592 in 450-480, weekbits=3e 2008/03/24 09:52:44| aclMatchAclList: no match, returning 0 2008/03/24 09:52:44| aclCheck: checking 'http_access deny localhost' 2008/03/24 09:52:44| aclMatchAclList: checking localhost 2008/03/24 09:52:44| aclMatchAcl: checking 'acl localhost src 127.0.0.1/255.255.255.255' 2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found 2008/03/24 09:52:44| aclMatchAclList: returning 1 2008/03/24 09:52:44| aclCheck: match found, returning 0 2008/03/24 09:52:44| aclCheckCallback: answer=0 2008/03/24 09:52:44| The request GET http://grolma.no-ip.org/favicon.ico is DENIED, because it matched 'localhost' 2008/03/24 09:52:44| The reply for GET http://grolma.no-ip.org/favicon.ico is ALLOWED, because it matched 'localhost' hepworth emma # grep ^acl /etc/squid/squid.conf |grep -v 'Safe_ports' hepworth emma # cat /etc/squid/squid.conf |grep ^http http_port 3128 http_access allow emma testing http_access allow andrew http_access deny localhost http_access deny all hepworth emma # 2008/03/24 09:56:04| aclCheckFast: list: 0x82ab640 2008/03/24 09:56:04| aclMatchAclList: checking all 2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found 2008/03/24 09:56:04| aclMatchAclList: returning 1 2008/03/24 09:56:04| aclCheck: checking 'http_access allow emma testing' 2008/03/24 09:56:04| aclMatchAclList: checking emma 2008/03/24 09:56:04| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED' 2008/03/24 09:56:04| aclMatchUser: us
Re: [squid-users] ACLs and localhost
paul cooper wrote: there is something in all this i really am not understanding.Sorry to be so stupid. AIUI now, it looks at the ACLs and processes them until it finds one that matches, and then it stops matching them and allows access. It will only deny a page when its has processed all the ACLS and NOT found a match. There are two slightly different things involved here: ACL and ACCESS Squid check all ACCESS lines _in the order configured_ . The first that matches is used, end of story #1. In order to process any single ACCESS line squid must check the ACL listed in it. It only matches if all the ACL _on that line_ are matched. The behaviour you are thinking of applies just to the ACL within a single ACCESS line. So to take an example from your config: http_access allow emma weekends - will ONLY accept if emma is true AND weekends is true - will never deny anything - wont match if emma is false OR weekends is false http_access allow Safe_ports - will ONLY accept if (line above it don't match) AND Safe_ports is true - will never deny anything. - wont match if Safe_ports is false. So we end up with three actions from each ACCESS line: ALLOW DENY TRY-NEXT-LINE > if i have only 1 authenticated user (emma) then the time based ACL > ('testing') it denies access as it should . > When i add another user access (http_access allow andrew) the browser > authentication box comes up , i put in 'emma' and it gives me access. > Im restarting squid and clearing the browser cache between all these > attempts. The deny/accept is happening in places you are not expecting them to occur. Your ACL are working, ACCESS are not. hepworth emma # grep ^acl /etc/squid/squid.conf |grep -v 'Safe' acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 acl purge method PURGE acl CONNECT method CONNECT acl andrew proxy_auth REQUIRED acl emma proxy_auth REQUIRED acl QUERY urlpath_regex cgi-bin \? acl apache rep_header Server ^Apache acl testing time MTWHF 07:30-08:00 hepworth emma # grep ^http /etc/squid/squid.conf http_port 3128 http_access allow emma testing http_access deny localhost http_access deny all hepworth emma # 2008/03/24 09:52:44| aclCheckFast: list: 0x82ab370 2008/03/24 09:52:44| aclMatchAclList: checking all 2008/03/24 09:52:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found 2008/03/24 09:52:44| aclMatchAclList: returning 1 2008/03/24 09:52:44| aclCheck: checking 'http_access allow emma testing' 2008/03/24 09:52:44| aclMatchAclList: checking emma 2008/03/24 09:52:44| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED' 2008/03/24 09:52:44| aclMatchUser: user is emma, case_insensitive is 0 2008/03/24 09:52:44| Top is (nil), Top->data is Unavailable 2008/03/24 09:52:44| aclMatchUser: user REQUIRED and auth-info present. ... username OK. 2008/03/24 09:52:44| aclMatchAclList: checking testing 2008/03/24 09:52:44| aclMatchAcl: checking 'acl testing time MTWHF 07:30-08:00' 2008/03/24 09:52:44| aclMatchTime: checking 592 in 450-480, weekbits=3e ... NOT within the (testing) time configured. 2008/03/24 09:52:44| aclMatchAclList: no match, returning 0 (http_access allow emma testing) failed to match. ... moving on to try the next one 2008/03/24 09:52:44| aclCheck: checking 'http_access deny localhost' 2008/03/24 09:52:44| aclMatchAclList: checking localhost 2008/03/24 09:52:44| aclMatchAcl: checking 'acl localhost src 127.0.0.1/255.255.255.255' 2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found .. you are on localhost. ACL matches. 2008/03/24 09:52:44| aclMatchAclList: returning 1 ... do whatever the http_access is supposed to do with it... 2008/03/24 09:52:44| aclCheck: match found, returning 0 ... which is a DENY ... 2008/03/24 09:52:44| aclCheckCallback: answer=0 2008/03/24 09:52:44| The request GET http://grolma.no-ip.org/ is DENIED, because it matched 'localhost' ... send the denial message. hepworth emma # grep ^acl /etc/squid/squid.conf |grep -v 'Safe_ports' hepworth emma # cat /etc/squid/squid.conf |grep ^http http_port 3128 http_access allow emma testing http_access allow andrew http_access deny localhost http_access deny all hepworth emma # Translated from config to English: (emma when logged in) only on (weekends) CAN get through. (andrew) CAN get through at any time. (others) using (machine localhost) NOT allowed (others) NOT allowed 2008/03/24 09:56:04| aclCheckFast: list: 0x82ab640 2008/03/24 09:56:04| aclMatchAclList: checking all 2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found 2008/03/24 09:56:04| aclMatchAclList: returning 1 2008/03/24 09:56:04| aclCheck: checking 'http_access allow emma testing' 2008/03/24 09:56:04| aclMatchAclList: checking emma 2008/03/24 09:56:04| aclMatch
Re: [squid-users] ACLs and localhost
so is what i want to do actually possible ? unixlogin emma logged into VT7 unixlogin andrew -> VT8 web page request from either -> squid requests login if its emma & !testing -> access denied if its emma & testing -> access allowed switch to VT8 ( andrews desktop) web page request -> squid requests login if its andrew -> access allowed if its emma && !testing (eg kids messing around) -> access denied hepworth squid # grep ^auth_param /etc/squid/squid.conf auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/htpasswd hepworth squid # grep ^acl /etc/squid/squid.conf | grep -v '#' acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 acl purge method PURGE acl CONNECT method CONNECT acl andrew proxy_auth REQUIRED acl emma proxy_auth REQUIRED acl QUERY urlpath_regex cgi-bin \? acl apache rep_header Server ^Apache acl testing time MTWHF 07:30-08:00 hepworth squid # grep ^http /etc/squid/squid.conf | grep -v '#' http_port 3128 http_access allow emma testing http_access allow andrew http_access deny all hepworth squid # 008/03/25 15:04:03| aclMatchIp: '127.0.0.1' found 2008/03/25 15:04:03| aclMatchAclList: returning 1 2008/03/25 15:04:03| aclCheck: checking 'http_access allow emma testing' 2008/03/25 15:04:03| aclMatchAclList: checking emma 2008/03/25 15:04:03| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED' 2008/03/25 15:04:03| aclCacheMatchAcl: cache hit on acl '0x82a7cc8' 2008/03/25 15:04:03| aclMatchAclList: checking testing 2008/03/25 15:04:03| aclMatchAcl: checking 'acl testing time MTWHF 07:30-08:00' 2008/03/25 15:04:03| aclMatchTime: checking 904 in 450-480, weekbits=3e 2008/03/25 15:04:03| aclMatchAclList: no match, returning 0 2008/03/25 15:04:03| aclCheck: checking 'http_access allow andrew ' 2008/03/25 15:04:03| aclMatchAclList: checking andrew 2008/03/25 15:04:03| aclMatchAcl: checking 'acl andrew proxy_auth REQUIRED' 2008/03/25 15:04:03| aclCacheMatchAcl: cache hit on acl '0x82a7d38' but i havent AFAIK logged in , in this browser session, as andrew ( the browser cache is flushed when its closed so is this login stored in the cache somewhere ? I need to flush the cache when i change user ? 2008/03/25 15:04:03| aclMatchAclList: returning 1 2008/03/25 15:04:03| aclCheck: match found, returning 1 2008/03/25 15:04:03| aclCheckCallback: answer=1 2008/03/25 15:04:03| The request GET http://grolma.no-ip.org/favicon.ico is ALLOWED, because it matched 'andrew' 2008/03/25 15:04:03| aclCheck: checking 'cache deny QUERY' 2008/03/25 15:04:03| aclMatchAclList: checking QUERY 2008/03/25 15:04:03| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?' 2008/03/25 15:04:03| aclMatchRegex: checking '/favicon.ico' 2008/03/25 15:04:03| aclMatchRegex: looking for 'cgi-bin' 2008/03/25 15:04:03| aclMatchRegex: looking for '\?' 2008/03/25 15:04:03| aclMatchAclList: no match, returning 0 2008/03/25 15:04:03| aclCheck: NO match found, returning 1 2008/03/25 15:04:03| aclCheckCallback: answer=1 2008/03/25 15:04:03| aclCheckFast: list: 0x8481608 2008/03/25 15:04:03| aclMatchAclList: checking all 2008/03/25 15:04:03| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/25 15:04:03| aclMatchIp: '127.0.0.1' found 2008/03/25 15:04:03| aclMatchAclList: returning 1 2008/03/25 15:04:03| aclCheck: checking 'http_reply_access allow all' 2008/03/25 15:04:03| aclMatchAclList: checking all 2008/03/25 15:04:03| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/25 15:04:03| aclMatchIp: '127.0.0.1' found 2008/03/25 15:04:03| aclMatchAclList: returning 1 2008/03/25 15:04:03| aclCheck: match found, returning 1 2008/03/25 15:04:03| aclCheckCallback: answer=1 2008/03/25 15:04:03| The reply for GET http://grolma.no-ip.org/favicon.ico is ALLOWED, because it matched 'all'
Re: [squid-users] ACLs and localhost
Hi, On Tue, Mar 25, paul cooper wrote: > so is this login stored in the cache somewhere ? > I need to flush the cache when i change user ? squid caches the authentication results, I think the default is 2h. Please have a look for the keywords in your default squid.conf: "max_user_ip" and "credentialsttl" -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field. pgp1h3HNziJ2Z.pgp Description: PGP signature
Re: [squid-users] ACLs and localhost
paul cooper wrote: so is what i want to do actually possible ? If I understand your intentions correctly yes it is: http_access deny !Safe_ports http_access emma weekends http_access andrew http_access deny non-safe port access denied emma only logging in on weekends, not accepted otherwise. andrew logging in anytime. nobody else allowed. unixlogin emma logged into VT7 unixlogin andrew -> VT8 web page request from either -> squid requests login if its emma & !testing -> access denied if its emma & testing -> access allowed switch to VT8 ( andrews desktop) web page request -> squid requests login if its andrew -> access allowed if its emma && !testing (eg kids messing around) -> access denied hepworth squid # grep ^auth_param /etc/squid/squid.conf auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/htpasswd hepworth squid # grep ^acl /etc/squid/squid.conf | grep -v '#' acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 acl purge method PURGE acl CONNECT method CONNECT acl andrew proxy_auth REQUIRED acl emma proxy_auth REQUIRED acl QUERY urlpath_regex cgi-bin \? acl apache rep_header Server ^Apache acl testing time MTWHF 07:30-08:00 hepworth squid # grep ^http /etc/squid/squid.conf | grep -v '#' http_port 3128 http_access allow emma testing http_access allow andrew http_access deny all hepworth squid # 008/03/25 15:04:03| aclMatchIp: '127.0.0.1' found 2008/03/25 15:04:03| aclMatchAclList: returning 1 2008/03/25 15:04:03| aclCheck: checking 'http_access allow emma testing' 2008/03/25 15:04:03| aclMatchAclList: checking emma 2008/03/25 15:04:03| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED' 2008/03/25 15:04:03| aclCacheMatchAcl: cache hit on acl '0x82a7cc8' 2008/03/25 15:04:03| aclMatchAclList: checking testing 2008/03/25 15:04:03| aclMatchAcl: checking 'acl testing time MTWHF 07:30-08:00' 2008/03/25 15:04:03| aclMatchTime: checking 904 in 450-480, weekbits=3e 2008/03/25 15:04:03| aclMatchAclList: no match, returning 0 2008/03/25 15:04:03| aclCheck: checking 'http_access allow andrew ' 2008/03/25 15:04:03| aclMatchAclList: checking andrew 2008/03/25 15:04:03| aclMatchAcl: checking 'acl andrew proxy_auth REQUIRED' 2008/03/25 15:04:03| aclCacheMatchAcl: cache hit on acl '0x82a7d38' but i havent AFAIK logged in , in this browser session, as andrew ( the browser cache is flushed when its closed so is this login stored in the cache somewhere ? I need to flush the cache when i change user ? 2008/03/25 15:04:03| aclMatchAclList: returning 1 2008/03/25 15:04:03| aclCheck: match found, returning 1 2008/03/25 15:04:03| aclCheckCallback: answer=1 2008/03/25 15:04:03| The request GET http://grolma.no-ip.org/favicon.ico is ALLOWED, because it matched 'andrew' 2008/03/25 15:04:03| aclCheck: checking 'cache deny QUERY' 2008/03/25 15:04:03| aclMatchAclList: checking QUERY 2008/03/25 15:04:03| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?' 2008/03/25 15:04:03| aclMatchRegex: checking '/favicon.ico' 2008/03/25 15:04:03| aclMatchRegex: looking for 'cgi-bin' 2008/03/25 15:04:03| aclMatchRegex: looking for '\?' 2008/03/25 15:04:03| aclMatchAclList: no match, returning 0 2008/03/25 15:04:03| aclCheck: NO match found, returning 1 2008/03/25 15:04:03| aclCheckCallback: answer=1 2008/03/25 15:04:03| aclCheckFast: list: 0x8481608 2008/03/25 15:04:03| aclMatchAclList: checking all 2008/03/25 15:04:03| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/25 15:04:03| aclMatchIp: '127.0.0.1' found 2008/03/25 15:04:03| aclMatchAclList: returning 1 2008/03/25 15:04:03| aclCheck: checking 'http_reply_access allow all' 2008/03/25 15:04:03| aclMatchAclList: checking all 2008/03/25 15:04:03| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/25 15:04:03| aclMatchIp: '127.0.0.1' found 2008/03/25 15:04:03| aclMatchAclList: returning 1 2008/03/25 15:04:03| aclCheck: match found, returning 1 2008/03/25 15:04:03| aclCheckCallback: answer=1 2008/03/25 15:04:03| The reply for GET http://grolma.no-ip.org/favicon.ico is ALLOWED, because it matched 'all' -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
Re: [squid-users] ACLs and localhost
On Tue, 2008-03-25 at 15:07 +, paul cooper wrote: > so is what i want to do actually possible ? > > unixlogin emma logged into VT7 > unixlogin andrew -> VT8 > > web page request from either -> squid requests login For trusted stations you can make use of the ident service to tell Squid which user originated the connection. Otherwise you need to use authentication, where the user logs in to use the proxy, often asked separately from their system login. > acl andrew proxy_auth REQUIRED > acl emma proxy_auth REQUIRED The above two acls is equivalent and matches any authenticated user. I suspect you meant acl andrew proxy_auth andrew acl emma proxy_auth emma > but i havent AFAIK logged in , in this browser session, as andrew ( the > browser cache is flushed when its closed REQUIRED means any user, so it matches no matter what login+password you use in the browser. > so is this login stored in the cache somewhere ? Not outside the browser. > I need to flush the cache when i change user ? No. Regards Henrik
Re: [squid-users] ACLs and localhost
this is my config hepworth squid # grep ^acl /etc/squid/squid.conf acl all src 0.0.0.0/0.0.0.0 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT acl andrew proxy_auth acl emma proxy_auth acl QUERY urlpath_regex cgi-bin \? acl apache rep_header Server ^Apache acl testing time MTWHF 07:30-08:00 hepworth squid # grep ^http_access /etc/squid/squid.conf http_access deny !Safe_ports http_access allow emma testing http_access allow andrew localhost http_access deny all hepworth squid # and logging in as andrew denies a poage with this 2008/03/31 20:56:37| Starting Squid Cache version 2.6.STABLE17 for i686-pc-linux-gnu... 2008/03/31 20:56:37| Process ID 8806 2008/03/31 20:56:37| With 1024 file descriptors available 2008/03/31 20:56:37| Using epoll for the IO loop 2008/03/31 20:56:37| DNS Socket created at 0.0.0.0, port 32780, FD 6 2008/03/31 20:56:37| Adding domain home.nw from /etc/resolv.conf 2008/03/31 20:56:37| Adding nameserver 192.168.0.254 from /etc/resolv.conf 2008/03/31 20:56:37| helperOpenServers: Starting 5 'ncsa_auth' processes 2008/03/31 20:56:38| User-Agent logging is disabled. 2008/03/31 20:56:38| Referer logging is disabled. 2008/03/31 20:56:38| Unlinkd pipe opened on FD 17 2008/03/31 20:56:38| Swap maxSize 102400 KB, estimated 7876 objects 2008/03/31 20:56:38| Target number of buckets: 393 2008/03/31 20:56:38| Using 8192 Store buckets 2008/03/31 20:56:38| Max Mem size: 8192 KB 2008/03/31 20:56:38| Max Swap size: 102400 KB 2008/03/31 20:56:38| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2008/03/31 20:56:38| Rebuilding storage in /var/cache/squid (CLEAN) 2008/03/31 20:56:38| Using Least Load store dir selection 2008/03/31 20:56:38| Set Current Directory to /var/cache/squid 2008/03/31 20:56:38| Loaded Icons. 2008/03/31 20:56:38| Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 19. 2008/03/31 20:56:38| Accepting ICP messages at 0.0.0.0, port 3130, FD 20. 2008/03/31 20:56:38| HTCP Disabled. 2008/03/31 20:56:38| WCCP Disabled. 2008/03/31 20:56:38| Ready to serve requests. 2008/03/31 20:56:38| Done reading /var/cache/squid swaplog (2219 entries) 2008/03/31 20:56:38| Finished rebuilding storage from disk. 2008/03/31 20:56:38| 2219 Entries scanned 2008/03/31 20:56:38| 0 Invalid entries. 2008/03/31 20:56:38| 0 With invalid flags. 2008/03/31 20:56:38| 2219 Objects loaded. 2008/03/31 20:56:38| 0 Objects expired. 2008/03/31 20:56:38| 0 Objects cancelled. 2008/03/31 20:56:38| 0 Duplicate URLs purged. 2008/03/31 20:56:38| 0 Swapfile clashes avoided. 2008/03/31 20:56:38| Took 0.3 seconds (6503.0 objects/sec). 2008/03/31 20:56:38| Beginning Validation Procedure 2008/03/31 20:56:38| Completed Validation Procedure 2008/03/31 20:56:38| Validated 2219 Entries 2008/03/31 20:56:38| store_swap_size = 18264k 2008/03/31 20:56:39| storeLateRelease: released 0 objects 2008/03/31 20:56:44| aclCheckFast: list: 0x82ab588 2008/03/31 20:56:44| aclMatchAclList: checking all 2008/03/31 20:56:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/31 20:56:44| aclMatchIp: '127.0.0.1' found 2008/03/31 20:56:44| aclMatchAclList: returning 1 2008/03/31 20:56:44| aclCheck: checking 'http_access deny !Safe_ports' 2008/03/31 20:56:44| aclMatchAclList: checking !Safe_ports 2008/03/31 20:56:44| aclMatchAcl: checking 'acl Safe_ports port 80 # http' 2008/03/31 20:56:44| aclMatchAclList: no match, returning 0 2008/03/31 20:56:44| aclCheck: checking 'http_access allow emma testing' 2008/03/31 20:56:44| aclMatchAclList: checking emma 2008/03/31 20:56:44| aclMatchAcl: checking 'acl emma proxy_auth ' 2008/03/31 20:56:44| aclMatchAcl: returning 0 sending credentials to helper. 2008/03/31 20:56:44| aclMatchAclList: no match, returning 0 2008/03/31 20:56:44| aclCheck: checking password via authenticator 2008/03/31 20:56:45| aclCheck: checking 'http_access allow emma testing' 2008/03/31 20:56:45| aclMatchAclList: checking emma 2008/03/31 20:56:45| aclMatchAcl: checking 'acl emma proxy_auth ' 2008/03/31 20:56:45| aclMatchUser: user is andrew, case_insensitive is 0 2008/03/31 20:56:45| Top is (nil), Top->data is Unavailable 2008/03/31 20:56:45| aclMatchUser: returning 0,Top is (nil), Top->data is Unavailable 2008/03/31 20:56:45| aclMatchAclList: no match, returning 0 2008/03/31 20:56:45| aclCheck: checking 'http_access allow andrew ' 2008/03/31 20:56:45| aclMatchAclList: checking andrew 2008/03/31 20:56:45| aclMatchAcl: checking 'acl andrew proxy_auth ' 2008/03/31 20:56:45| aclMatchUser: user is andrew, case_insensitive is 0 2008/03/31 20:56:45| Top is (nil), Top->data is Unavailable 2008/03/31 20:56:45| aclMatchUser: returning 0,Top is (nil), Top->data is Unavailable 2008/03/31 20:56:45| aclMatchAclList: no match, returning 0 2008/03/31 20:56:45| aclCheck: checking 'http_access deny all' 2008/03/31 20:56:45| aclMatchAclList: checking all 2008/03/31 20:5
Re: [squid-users] ACLs and localhost
mån 2008-03-31 klockan 22:13 +0100 skrev paul cooper: > this is my config > hepworth squid # grep ^acl /etc/squid/squid.conf > acl all src 0.0.0.0/0.0.0.0 > acl SSL_ports port 443 > acl Safe_ports port 80 # http > > acl Safe_ports port 901 # SWAT > acl purge method PURGE > acl CONNECT method CONNECT > acl andrew proxy_auth > acl emma proxy_auth the above should be acl andrew proxy_auth andrew acl emma proxy_auth emma the first is the internal name of the acl, the second the username(s) to match.. Regards Henrik