Re: [squid-users] Is there a way to allow connection according to user certificate?
Dear Amos and Yuri, thanks a lot for your answers. Sorry for the mess, I'm novice here. As it turned out my proxy is not transparent... By "some reasons" I meant clients' experience reasons, let me explain. I use explicit proxy and my clients connect to proxy using iPhone only. I installed self-signed certificate on every iPhone and made login/pass authentication. It works perfect for wi-fi connection, because in this case iPhone gives a possibility to specify proxy domain, port, login and password. However to make them connect to proxy using mobile internet I had to install APN profile on each iPhone. Inside APN profile I can specify domain and port, but not login and pass (APN doesn't have such settings). So when client opens browser using mobile internet he is asked for login/pass every time. This situation is not appropriate for me so I can't use login/pass. I'm thinking that maybe it's possible to replace login/pass authentication with certificate authentication. I want to authenticate users using a digital certificate they already have on their iPhone. I found some articles about certificate authentication for reverse proxy, but can't find anything about explicit one. Is it possible? Best Regards, Sergey ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is there a way to allow connection according to user certificate?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 05.05.16 19:06, Ser de Bronce пишет: > Dear Amos and Yuri, thanks a lot for your answers. > > Sorry for the mess, I'm novice here. > As it turned out my proxy is not transparent... > > By "some reasons" I meant clients' experience reasons, let me explain. > > I use explicit proxy and my clients connect to proxy using iPhone only. > I installed self-signed certificate on every iPhone and made login/pass authentication. > It works perfect for wi-fi connection, because in this case iPhone gives a possibility to specify proxy domain, port, login and password. > However to make them connect to proxy using mobile internet I had to install APN profile on each iPhone. Inside APN profile I can specify domain and port, but not login and pass (APN doesn't have such settings). So when client opens browser using mobile internet he is asked for login/pass every time. This situation is not appropriate for me so I can't use login/pass. But this is the default behaviour for proxy with auth. I still do not understand the purpose for which authentication is required? > > I'm thinking that maybe it's possible to replace login/pass authentication with certificate authentication. > I want to authenticate users using a digital certificate they already have on their iPhone. > > I found some articles about certificate authentication for reverse proxy, but can't find anything about explicit one. Reverse proxy is different thing against forwarding/transparent proxy. AFAIK there is no solution you asked. But you can be first. I see this: 1. You can write external auth helper, with Perl/Pyton/etc. for authentification. 2. You can setup DHCP with 252 option for push proxy.pac to your clients. 3. You can tell us about success ;) > Is it possible? In theory, everything is possible, which does not contradict the laws of physics. :) > > Best Regards, > Sergey > -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXK0cOAAoJENNXIZxhPexGUG4H/3uMpUgrRnO1kILD+jGr96+4 7JVAm6NUrmnzseYLz2BkXtWPCb2fWxsOoQOWXdwHZR9YtpsM6aSFG+zG0nRzGWFs /nicGIThegKRfD6ONhumRPKzDKdIhEx+XSKcoaxB0q157ncTsgrazvoyLYetza+5 iTNSR30WNdqoslR5GlJDW4etTO88xfCu+trrhFI3yKFevzbq9xkrfBC06K0+RX2U twaAHJToGRoiAhEsrhD9MwxxGj4E8NUYGvhaAfINyqSjXNJhQ0d4eTwTp18Dok13 ae/ake0f0aSnrCN7riBMS5iIINvwKMf/bTCibMGSJ1TVnr7B5K6RNVR3eqtQ0lU= =pQ4f -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is there a way to allow connection according to user certificate?
On 6/05/2016 1:06 a.m., Ser de Bronce wrote: > Dear Amos and Yuri, thanks a lot for your answers. > > Sorry for the mess, I'm novice here. > As it turned out my proxy is not transparent... > > By "some reasons" I meant clients' experience reasons, let me explain. > > I use explicit proxy and my clients connect to proxy using iPhone only. > I installed self-signed certificate on every iPhone and made login/pass > authentication. > It works perfect for wi-fi connection, because in this case iPhone gives a > possibility to specify proxy domain, port, login and password. > However to make them connect to proxy using mobile internet I had to > install APN profile on each iPhone. Inside APN profile I can specify domain > and port, but not login and pass (APN doesn't have such settings). So when > client opens browser using mobile internet he is asked for login/pass every > time. This situation is not appropriate for me so I can't use login/pass. > > I'm thinking that maybe it's possible to replace login/pass authentication > with certificate authentication. > I want to authenticate users using a digital certificate they already have > on their iPhone. > > I found some articles about certificate authentication for reverse proxy, > but can't find anything about explicit one. > Is it possible? Squid can listen on an https_port for connections. The TLS settings to challenge for client cert are the same for explicit proxy as you would find for reverse-proxy. What you will also find however is that browsers do not do TLS to proxies, or if they do not without jumping through some other hoops which are browser dependent. IIRC; * Chrome requires that it is started with certain command line options, AND that a PAC file is used with https:// URI for the proxy detail. * Firefox requires that PAC file are used with https:// URI for the proxy detail AND limits the protocol spoken to those proxy to HTTP/2. * Safari and IE - seem not to support TLS proxy at all yet AFAIK. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is there a way to allow connection according to user certificate?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 05.05.16 19:19, Amos Jeffries пишет: > On 6/05/2016 1:06 a.m., Ser de Bronce wrote: >> Dear Amos and Yuri, thanks a lot for your answers. >> >> Sorry for the mess, I'm novice here. >> As it turned out my proxy is not transparent... >> >> By "some reasons" I meant clients' experience reasons, let me explain. >> >> I use explicit proxy and my clients connect to proxy using iPhone only. >> I installed self-signed certificate on every iPhone and made login/pass >> authentication. >> It works perfect for wi-fi connection, because in this case iPhone gives a >> possibility to specify proxy domain, port, login and password. >> However to make them connect to proxy using mobile internet I had to >> install APN profile on each iPhone. Inside APN profile I can specify domain >> and port, but not login and pass (APN doesn't have such settings). So when >> client opens browser using mobile internet he is asked for login/pass every >> time. This situation is not appropriate for me so I can't use login/pass. >> >> I'm thinking that maybe it's possible to replace login/pass authentication >> with certificate authentication. >> I want to authenticate users using a digital certificate they already have >> on their iPhone. >> >> I found some articles about certificate authentication for reverse proxy, >> but can't find anything about explicit one. >> Is it possible? > > Squid can listen on an https_port for connections. The TLS settings to > challenge for client cert are the same for explicit proxy as you would > find for reverse-proxy. > > What you will also find however is that browsers do not do TLS to > proxies, or if they do not without jumping through some other hoops > which are browser dependent. > > IIRC; > * Chrome requires that it is started with certain command line options, > AND that a PAC file is used with https:// URI for the proxy detail. > > * Firefox requires that PAC file are used with https:// URI for the > proxy detail AND limits the protocol spoken to those proxy to HTTP/2. In my personal opinion, that everywhere for the crazy idea to push HTTPS - and where it is necessary and where it is not necessary. If a hammer - everything looks like a nail. > > > * Safari and IE - seem not to support TLS proxy at all yet AFAIK. > > Amos > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXK1JLAAoJENNXIZxhPexGW/MIAM0aKjIOY4/3o8iYisQIQQjX e10w0d7ygLbX4cHabzURwcR5J1qaoPE1VnK5tugybsEBUYLdj4EMRQ/FEqUIhC/+ aWodGOWneZ8QEFh7U+56g+fZLzUolbtJidjl/9JwmB8iWKSNgffLEgrTG3GIh4Jt o7AfkqNejKqyaSio0iY1QygqI+LKBUVTpPdQIQ4950Ulql+rN55k7mktia04ZC35 bxM3p060aE5SG6YmEqjxOi1mAceMW1SmAESMKAN/GzuRc3CK4TUzqlXcxfScLEwQ Il6HH0r+ovh19cj5dBZIVAS3cVgK1zvdsVREoZ4HUJIS/0n3dDUgbnP3hpXvGtI= =2GpD -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is there a way to allow connection according to user certificate?
Yuri, > But this is the default behaviour for proxy with auth I didn't know that. Initially I tested on iPhone using wi-fi connection and as I said earlier there are wi-fi proxy settings on iPhone so user should type them only once and then each browser and app works without asking login/pass. > I still do not understand the purpose for which authentication is required? This proxy will be available from anywhere, but I need to prevent usage of this proxy by anyone, except my clients. This is the main purpose. I had a plan to give login and password to each client, but as I said earlier this is not possible because of user experience reasons. Also I can't rely on MAC, IP or other indirect attributes. So I try to find other ways to check if user who is connecting to proxy is my client or not. Right now I see only two ways here: 1) authentication by proxy server using certificates 2) authentication by some other server which accept certificates and then redirecting connections to proxy. As I said I'm novice and didn't use proxy earlier. Maybe you know better solution. Best regards, Sergey ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is there a way to allow connection according to user certificate?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 05.05.16 22:07, Ser de Bronce пишет: > Yuri, > > > But this is the default behaviour for proxy with auth > > I didn't know that. > Initially I tested on iPhone using wi-fi connection and as I said earlier there are wi-fi proxy settings on iPhone so user should type them only once and then each browser and app works without asking login/pass. > > > I still do not understand the purpose for which authentication is required? > > This proxy will be available from anywhere, but I need to prevent usage of this proxy by anyone, except my clients. This is the main purpose. > I had a plan to give login and password to each client, but as I said earlier this is not possible because of user experience reasons. > Also I can't rely on MAC, IP or other indirect attributes. Now understand. I see no better solution except external auth helper. The only thing: there is not exists now in Squid with ready-to-use. It contains only template. > > So I try to find other ways to check if user who is connecting to proxy is my client or not. > Right now I see only two ways here: > 1) authentication by proxy server using certificates > 2) authentication by some other server which accept certificates and then redirecting connections to proxy. Yep, something like OpenLDAP, OpenVPN or combination. > > As I said I'm novice and didn't use proxy earlier. Maybe you know better solution. Hm. Consider this: http://wiki.squid-cache.org/ConfigExamples#Captive_Portal_features > > Best regards, > Sergey -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXK3IJAAoJENNXIZxhPexGKmwH/1JGpw1jD/GYGbuRHlOwuAP7 QU69ZZh0qd2T188Vs2gFgd9tc0dvVbxhkYljQPjdK2stDyQ5Ahzu/x8ke/Wp8Hhr vHa7xVx1l4IP1tD9oEzfST7CovldVXjsHJ9/VLyIap2Cfszjhg4JRXwTblJjfOAM r7qUSgUlHDDGcTxhEjXFp0pnVbJzN3NZXjLhyiuSUFESabxcyGXQUOHQMatjrLBu XuZ9zwUu+1tUW3o72nYUytdB1gYMwgQePezDIYm+TX51fGu96SBN3qLyO96iQtzl Iz8gNrqvJ1gWHgXLiMWznEckbHEBI3VTck38/VFyIs2P2Fzv+5hBOTp9s15APCI= =R0my -END PGP SIGNATURE- 0x613DEC46.asc Description: application/pgp-keys ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Filtering HTTPS URLs
Hi, I have now tested this with squid 4.0.9 and can confirm that I encounter the same problem and get the same results. Victor On Fri, Feb 12, 2016 at 1:18 PM, Amos Jeffries wrote: > On 12/02/2016 11:37 a.m., Victor Hugo wrote: > > Hi Panda, > > > > Thanks for the suggestion. > > > > I'm assuming from Panda and Amos's responses that what I'm trying to > > achieve should actually be possible? > > Yes. Once the request message has been bumped there is no difference to > Squid between it and a regular plain-text message with https:// URL. > > So... its probably somethign related to the bump. But why that says > DENIED then has a followup is weird. > > Amos > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Is there a way to allow connection according to user certificate?
On 6/05/2016 4:07 a.m., Ser de Bronce wrote: > Yuri, > >> But this is the default behaviour for proxy with auth > > I didn't know that. > Initially I tested on iPhone using wi-fi connection and as I said earlier > there are wi-fi proxy settings on iPhone so user should type them only once > and then each browser and app works without asking login/pass. Well, Yuri is only half-right there. It is and it isn't. The browser initial request may or not have credentials (secure clients do not send any up front, insecure clients do). If it doesn't the proxy responds with a 407 requesting them. The browser then is expected to find some. How is left up to the browser - but the expectation is that it will try the APN assigned credentials and/or its own credentials store *before* bothering the user with a popup. > >> I still do not understand the purpose for which authentication is > required? > > This proxy will be available from anywhere, but I need to prevent usage of > this proxy by anyone, except my clients. This is the main purpose. > I had a plan to give login and password to each client, but as I said > earlier this is not possible because of user experience reasons. That is a device/browser bug. The above described sequence should be happening, but apparently isn't. Since it is the browser part of the auth which is falling down there is very little Squid can do. The few things Squid can do require all this happening over a LAN environment and do not work across WAN / Internet connections. Sounds like you are stuck between a rock and a hard place. I'm a bit puzzled about how you expect APN settings to be pushed to devices connected via another service provider across the Internet. > Also I can't rely on MAC, IP or other indirect attributes. > > So I try to find other ways to check if user who is connecting to proxy is > my client or not. > Right now I see only two ways here: > 1) authentication by proxy server using certificates > 2) authentication by some other server which accept certificates and then > redirecting connections to proxy. > > As I said I'm novice and didn't use proxy earlier. Maybe you know better > solution. No, those are your choices. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Filtering HTTPS URLs
Here's a strange one for you though, if I change: acl whitelist-regex url_regex -i reddit.com/r/news to: acl whitelist-regex url_regex -i reddit\.com\/r\/news www\.reddit\.com\:443 it works every 2nd time but the match is too greedy and allows www.reddit.com/r/anything every 2nd time. Victor it On Thu, Feb 11, 2016 at 10:05 AM, Victor Hugo wrote: > Hi, > > I was wondering if it is possible to filter HTTPS URLs using squid (for > example to blacklist reddit.com but allow https://www.reddit.com/r/news/)? > > I thought this may be possible using ssl_bump and url_regex. I have been > trying this using squid 3.5.13 but with no success. > > Here is the squid configuration that I have tried but doesn't seem to work > (it works for http sites though): > > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl localnet src fc00::/7 # RFC 4193 local private network range > acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) > machines > > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost manager > http_access deny manager > > acl whitelist-regex url_regex -i reddit.com/r/news > http_port 3129 ssl-bump > cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > acl bump_sites ssl::server_name .reddit.com > ssl_bump bump bump_sites > ssl_bump splice !bump_sites > http_access allow whitelist-regex > http_access allow localhost > http_access deny all > coredump_dir /opt/squid-3.5.13/var/spool/squid3 > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > pinger_enable off > Relevant access.log output (IP addresses redacted to x.x.x.x): > 1455145755.589 0 x.x.x.x TCP_DENIED/200 0 CONNECT www.reddit.com:443 > - HIER_NONE/- - > 1455145755.669 0 x.x.x.x TAG_NONE/403 4011 GET > https://www.reddit.com/r/news - HIER_NONE/- text/html > 1455145755.782 0 x.x.x.x TCP_DENIED/200 0 CONNECT www.reddit.com:443 > - HIER_NONE/- - > > I don't want to whitelist the dstdomain .reddit.com > (i.e whitelist-ssldomain dstdomain .reddit.com) as that would allow > access to all of the other subreddits. > > Appreciate any help or suggestions you have. Thanks. > > Victor > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
