Re: [squid-users] How to perform regex only after Squid knows the full url with SslBump

[Alex Rousskov]

On 3/23/20 11:20 AM, laviier wrote:

> I did think of allowing the domain name first during CONNECT phase, and
> then the full URL after connection established. However, other paths
> under the same site wont be blocked.

What will (or will not be) blocked is for you to decide.


> i.e. I can ask Squid to let example.com pass
> through during CONNECT, and then let example.com/abc/logcin
> pass through after connection established. 

Yes, you can.


> However, this will let other paths of example.com
> pass Squid too (such as example.com/not_to_pass

Only if your http_access rules allow them. Your rules can include
request methods and bump stages, among other things.


> because the it passes the ACL check during CONNECT phase.

You can make that first example.com check be specific to the "CONNECT
phase". That specific rule does not have to match after the connection
was bumped -- you control that. Squid ACLs are very flexible. Do not
think about one ACL (with several regexes). Think of a combination of
different ACLs. Think of multiple http_access lines. Think of any-of and
all-of ACLs. For example:

  acl ...
  ...
  acl allowedAtTcpLevel ...
  acl allowedAtSniLevel ...
  acl allowedPlainAndBumpedTraffic ...

  http_access allow step1 allowedAtTcpLevel
  http_access deny step1
  http_access allow step2 allowedAtSniLevel
  http_access deny step2
  http_access allow allowedPlainAndBumpedTraffic
  http_access deny all

There are many ways to express what you want. The above is just one
excessively generic sketch. Your best solution will be different. I am
just illustrating the concept.


HTH,

Alex.


> On Sun, Mar 22, 2020 at 11:19 AM Alex Rousskov wrote:
> 
> On 3/20/20 5:48 PM, laviier wrote:
> > Hi,
> >
> > I have a use case that I want to access a certain URL path of a
> domain but
> > not other. i.e. I want client to be able to access
> example.com/abc/login ,
> > but not other paths.
> >
> > Hence, I created ACL rule to achieve that, see below:
> >
> > ```
> > acl to_domain_whitelist url_regex "/squid-config/whitelist/allow.acl"
> > acl http port 80
> > acl https port 443
> > acl connect method CONNECT
> >
> > http_access allow all to_domain_whitelist
> > http_access deny all
> >
> > http_reply_access allow all
> >
> > acl step1 at_step SslBump1
> > acl step2 at_step SslBump2
> > acl step3 at_step SslBump3
> >
> > ssl_bump peek step3
> > ssl_bump bump all
> > ```
> >
> > However the above code does not work properly, the URL regex matching
> > happens before Squid performs decryption so that it can only match
> against
> > the host name instead of full URL path. I wonder if there's a way
> to perform
> > the URL regex only after Squid knows the full url with SslBump?
> Below is a
> > briefing of the log. Thank you so much
> > ```
> > -
> > CONNECT example.com:443  HTTP/1.1
> > Host: example.com:443 
> > User-Agent: curl/7.54.0
> > Proxy-Connection: Keep-Alive
> > X-Forwarded-For: xx.xxx.xx.xx
> > --
> > ...
> > 2020/03/20 14:51:43.067| 28,3| Acl.cc(158) matches: checked:
> > to_domain_whitelist = 0
> > 2020/03/20 14:51:43.071| 85,2| client_side_request.cc(745)
> > clientAccessCheckDone: The request CONNECT example.com:443
>  is DENIED; last
> > ACL checked: all
> > ...
> 
> If you want to make allow/deny decision based on individual request
> URLs, your http_access rules must allow the CONNECT request. Once Squid
> establishes (and bumps) the CONNECT tunnel, it will start processing
> individual requests and apply http_access rules to each of them.
> 
> To allow a CONNECT request, do not use regular URL syntax because
> CONNECT requests use a different URI syntax. Sorry, I do not know
> whether a url_regex ACL can be used for CONNECT URIs, but you can use
> other ACLs if/as needed, of course.
> 
> 
> HTH,
> 
> Alex.
> 
> 
> > -
> > GET /abc/login HTTP/1.1
> > Host: example.com 
> > User-Agent: curl/7.54.0
> > Accept: */*
> > --
> > 
> > ```
> >
> >
> >
> > --
> > Sent from:
> 
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> 
> > http://lists.squid-cache.org/listinfo/squid-users
> >
> 

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid - Kerberos - update keytab issue

[L . P . H . van Belle]

Hai, 
 
Use winbind and never have this problem again.
 
* install winbind only is sufficient, below works since squid 3.2 up to 4.10
 
An example of a minimal smb.conf for it. 
 
[global]
    # Auth-Only setup with winbind. ( no Shares )
 
    workgroup = NTDOM
    security = ADS
    realm = YOUR.REALM.TLD
    netbios name = PROXY1
 
    preferred master = no
    domain master = no
    host msdfs = no
    dns proxy = yes
    interfaces = IP_OR_INTERFACENAME 127.0.0.1
    bind interfaces only = yes
 
    ### OBLIGATED PART begin 
    ## map id's outside to domain to tdb files.
    idmap config *: backend = tdb
    idmap config *: range = 2000-
 
    ## map ids from the domain and (*) the range may not overlap !
    idmap config NTDOM: backend = rid
    idmap config NTDOM: range = 10-399
 
    kerberos method = secrets and keytab
    dedicated keytab file = /etc/krb5.keytab
    # renew the kerberos ticket
    winbind refresh tickets = yes
 
    ### OBLIGATED PART end
 
    # Disable usershares create.. ( removes  (unneeded ) error from the logs ) 
    usershare path =
 
    # Disable printing completely ( removes also (unneeded ) error from the 
logs. )
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
 
-- --- 
 
and join the Windows domain. 
kinit administrator
net ads join -k
 
Allow the server in the AD to Delegate Kerberos for Squid. ( or all services ). 
thats up to you. 
After thats done, then 
 
Create Squid keytab: 
export KRB5_KTNAME=FILE:/etc/squid/HTTP-$(hostname -s).keytab
net ads keytab ADD HTTP/$(hostname -f)  
Verify it : klist -ke /etc/squid/HTTP-$(hostname -s).keytab 
unset KRB5_KTNAME
 
# set rights.
chgrp proxy /etc/squid/HTTP-$(hostname -s).keytab
chmod g+r /etc/squid/HTTP-$(hostname -s).keytab
 
 
! Optional krb5.conf ( most of the time the default should be sufficient. 
 
[libdefaults]
    default_realm = YOUR.REALM.TLD

## below her is optional.
    dns_lookup_kdc = true
    dns_lookup_realm = false
    ticket_lifetime = 24h
    ccache_type = 4
    forwardable = true
    proxiable = true

    ;https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1484262
    ignore_k5login = true

and the squid auth part. 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -k 
/etc/squid/krb5-squid-HTTP-proxy1.keytab \
    -s HTTP/proxy1.your.dnsdomain@your.realm.tld \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM

Good luck. 
 
Greetz, 
 
Louis
 
 


Van: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] Namens 
Sébastien Genesta
Verzonden: maandag 23 maart 2020 16:01
Aan: squid-users@lists.squid-cache.org
Onderwerp: [squid-users] Squid - Kerberos - update keytab issue




Hi,

I'm encountering an issue using Kerberos authentication. Indeed, every 30 days, 
my kerberos authentication breaks.
(currently, to bypass this issue, I regenerate keytab file).

Here, the command that I run every 6h to keep my keytab up to date.

/usr/sbin/msktutil --auto-update --verbose --computer-name KRB-PROX -k 
/etc/squid/squid.keytab

Below log I have every run (when everything is ok):

samedi 21 mars 2020, 06:00:01 (UTC+0100) -- init_password: Wiping the computer 
password structure -- generate_new_password: Generating a new, random password 
for the computer account -- generate_new_password: Characters read from 
/dev/urandom = 88 -- get_dc_host: Attempting to find Domain Controller to use 
via DNS SRV record in domain XX.LOCAL for procotol tcp -- get_dc_host: 
Found DC: x.x.local -- get_dc_host: Canonicalizing DC through 
forward/reverse lookup... -- get_dc_host: Found Domain Controller: 
.xx.local -- create_fake_krb5_conf: Created a fake krb5.conf 
file: /tmp/.msktkrb5.conf-ze3JWq -- reload: Reloading Kerberos Context -- 
finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ: 
Trying to authenticate for KRB-PROX$ from local keytab... -- 
switch_default_ccache: Using the local credential cache: 
FILE:/tmp/.mskt_krb5_ccache-t1AykD -- finalize_exec: Authenticated using method 
1 -- LDAPConnection: Connecting to LDAP server: xx.x.local 
-- ldap_get_base_dn: Determining default LDAP base: dc=x,dc=LOCAL 
-- get_default_ou: Determining default OU: 
CN=Computers,DC=xxx,DC=local -- ldap_get_pwdLastSet: pwdLastSet is 
132267790228776214 -- execute: Password last set 28 days ago. -- execute: 
Exiting because password was changed recently. -- ~KRB5Context: Destroying 
Kerberos Context

Below logs when things gone bad:

lundi 23 mars 2020, 00:00:01 (UTC+0100) -- init_password: Wiping the computer 
password structure -- generate_new_password: Generating a new, random password 
for the computer account -- generate_new_password: Characters read from 
/dev/urandom = 93 -- get_dc_host: Attempting to find Domain Controller to use 
via DNS SRV record in doma

Re: [squid-users] How to perform regex only after Squid knows the full url with SslBump

[laviier]

Thank you for the suggestion!

I did think of allowing the domain name first during CONNECT phase, and
then the full URL after connection established. However, other paths under
the same site wont be blocked.

i.e. I can ask Squid to let example.com pass through during CONNECT, and
then let example.com/abc/logcin pass through after connection established.
However, this will let other paths of example.com pass Squid too (such as
example.com/not_to_pass) because the it passes the ACL check during CONNECT
phase.



On Sun, Mar 22, 2020 at 11:19 AM Alex Rousskov <
rouss...@measurement-factory.com> wrote:

> On 3/20/20 5:48 PM, laviier wrote:
> > Hi,
> >
> > I have a use case that I want to access a certain URL path of a domain
> but
> > not other. i.e. I want client to be able to access example.com/abc/login
> ,
> > but not other paths.
> >
> > Hence, I created ACL rule to achieve that, see below:
> >
> > ```
> > acl to_domain_whitelist url_regex "/squid-config/whitelist/allow.acl"
> > acl http port 80
> > acl https port 443
> > acl connect method CONNECT
> >
> > http_access allow all to_domain_whitelist
> > http_access deny all
> >
> > http_reply_access allow all
> >
> > acl step1 at_step SslBump1
> > acl step2 at_step SslBump2
> > acl step3 at_step SslBump3
> >
> > ssl_bump peek step3
> > ssl_bump bump all
> > ```
> >
> > However the above code does not work properly, the URL regex matching
> > happens before Squid performs decryption so that it can only match
> against
> > the host name instead of full URL path. I wonder if there's a way to
> perform
> > the URL regex only after Squid knows the full url with SslBump? Below is
> a
> > briefing of the log. Thank you so much
> > ```
> > -
> > CONNECT example.com:443 HTTP/1.1
> > Host: example.com:443
> > User-Agent: curl/7.54.0
> > Proxy-Connection: Keep-Alive
> > X-Forwarded-For: xx.xxx.xx.xx
> > --
> > ...
> > 2020/03/20 14:51:43.067| 28,3| Acl.cc(158) matches: checked:
> > to_domain_whitelist = 0
> > 2020/03/20 14:51:43.071| 85,2| client_side_request.cc(745)
> > clientAccessCheckDone: The request CONNECT example.com:443 is DENIED;
> last
> > ACL checked: all
> > ...
>
> If you want to make allow/deny decision based on individual request
> URLs, your http_access rules must allow the CONNECT request. Once Squid
> establishes (and bumps) the CONNECT tunnel, it will start processing
> individual requests and apply http_access rules to each of them.
>
> To allow a CONNECT request, do not use regular URL syntax because
> CONNECT requests use a different URI syntax. Sorry, I do not know
> whether a url_regex ACL can be used for CONNECT URIs, but you can use
> other ACLs if/as needed, of course.
>
>
> HTH,
>
> Alex.
>
>
> > -
> > GET /abc/login HTTP/1.1
> > Host: example.com
> > User-Agent: curl/7.54.0
> > Accept: */*
> > --
> > 
> > ```
> >
> >
> >
> > --
> > Sent from:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
> >
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid - Kerberos - update keytab issue

[Sébastien Genesta]

Hi,

I'm encountering an issue using Kerberos authentication. Indeed, every 30
days, my kerberos authentication breaks.
(currently, to bypass this issue, I regenerate keytab file).

Here, the command that I run every 6h to keep my keytab up to date.

/usr/sbin/msktutil --auto-update --verbose --computer-name KRB-PROX -k
/etc/squid/squid.keytab

Below log I have every run (when everything is ok):

*samedi 21 mars 2020, 06:00:01 (UTC+0100) -- init_password: Wiping the
computer password structure -- generate_new_password: Generating a new,
random password for the computer account -- generate_new_password:
Characters read from /dev/urandom = 88 -- get_dc_host: Attempting to find
Domain Controller to use via DNS SRV record in domain XX.LOCAL for
procotol tcp -- get_dc_host: Found DC: x.x.local --
get_dc_host: Canonicalizing DC through forward/reverse lookup... --
get_dc_host: Found Domain Controller: .xx.local --
create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-ze3JWq -- reload: Reloading Kerberos Context --
finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ:
Trying to authenticate for KRB-PROX$ from local keytab... --
switch_default_ccache: Using the local credential cache:
FILE:/tmp/.mskt_krb5_ccache-t1AykD -- finalize_exec: Authenticated using
method 1 -- LDAPConnection: Connecting to LDAP server:
xx.x.local -- ldap_get_base_dn: Determining default
LDAP base: dc=x,dc=LOCAL -- get_default_ou: Determining default
OU: CN=Computers,DC=xxx,DC=local -- ldap_get_pwdLastSet:
pwdLastSet is 132267790228776214 -- execute: Password last set 28 days ago.
-- execute: Exiting because password was changed recently. -- ~KRB5Context:
Destroying Kerberos Context*

Below logs when things gone bad:

*lundi 23 mars 2020, 00:00:01 (UTC+0100) -- init_password: Wiping the
computer password structure -- generate_new_password: Generating a new,
random password for the computer account -- generate_new_password:
Characters read from /dev/urandom = 93 -- get_dc_host: Attempting to find
Domain Controller to use via DNS SRV record in domain XX.LOCAL for
procotol tcp -- get_dc_host: Found DC: .xxx.local --
get_dc_host: Canonicalizing DC through forward/reverse lookup... --
get_dc_host: Found Domain Controller: .xxx.local --
create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-UYDFiO -- reload: Reloading Kerberos Context --
finalize_exec: SAM Account Name is: KRB-PROX$ -- try_machine_keytab_princ:
Trying to authenticate for KRB-PROX$ from local keytab... --
switch_default_ccache: Using the local credential cache:
FILE:/tmp/.mskt_krb5_ccache-p6KtWW -- finalize_exec: Authenticated using
method 1 -- LDAPConnection: Connecting to LDAP server:
..local -- ldap_get_base_dn: Determining default
LDAP base: dc=xx,dc=LOCAL -- get_default_ou: Determining
default OU: CN=Computers,DC=xxx,DC=local --
ldap_get_pwdLastSet: pwdLastSet is 132267790228776214 -- execute: Password
last set 30 days ago. -- ldap_check_account: Checking that a computer
account for KRB-PROX$ exists -- ldap_check_account: Checking computer
account - found -- ldap_check_account: Found userAccountControl = 0x1000 --
ldap_check_account: Found supportedEncryptionTypes = 28 --
ldap_check_account: Found dNSHostName = .xxx.local --
ldap_check_account: Found Principal: HTTP/xx.xxx.local --
ldap_check_account: Found User Principal:
HTTP/proxy.x.local -- ldap_check_account_strings:
Inspecting (and updating) computer account attributes --
ldap_set_supportedEncryptionTypes: No need to change
msDs-supportedEncryptionTypes they are 28 --
ldap_set_userAccountControl_flag: Setting userAccountControl bit at
0x20 to 0x0 -- ldap_set_userAccountControl_flag: userAccountControl not
changed 0x1000 -- ldap_get_kvno: KVNO is 1 -- set_password: Attempting to
reset computer's password -- set_password: Try using keytab for KRB-PROX$
to change password -- ldap_get_pwdLastSet: pwdLastSet is 132267790228776214
-- set_password: krb5_change_password failed using keytab: (3)
Authentication error -- ~KRB5Context: Destroying Kerberos Context*

*lundi 23 mars 2020, 06:00:01 (UTC+0100) -- init_password: Wiping the
computer password structure -- generate_new_password: Generating a new,
random password for the computer account -- generate_new_password:
Characters read from /dev/urandom = 90 -- get_dc_host: Attempting to find
Domain Controller to use via DNS SRV record in domain x.LOCAL for
procotol tcp -- get_dc_host: Found DC: x.x.local --
get_dc_host: Canonicalizing DC through forward/reverse lookup... --
get_dc_host: Found Domain Controller: xx.xxx.local --
create_fake_krb5_conf: Created a fake krb5.conf file:
/tmp/.msktkrb5.conf-9XY0Qp -- reload: Reloading Kerberos Context --
finalize_exec: SAM A

[squid-users] Squid vs Signal Messenger or Hangouts

[Bob le pirate]

Hello,

On my computer, I installed the Squid proxy for my children's Android 
smartphones.
Everything works well, except that the video call does not work for 
HANGOUTS and that the push notification does not work for SIGNAL and 
HANGOUTS (they must start the application to see the messages)


Does anyone use Squid with these applications, how can I fix my problem?

Here is my squid.conf :

|acl localnet src 192.168.x.x/24 # RFC 1918 local private network
(LAN) acl SSL_ports port 443 acl Safe_ports port 80 # http acl
Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl
Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl
Safe_ports port 1025-65535 # unregistered ports acl Safe_ports
port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl
Safe_ports port 591 # filemaker acl Safe_ports port 777 #
multiling http acl SSL_ports port 4433 8443 # Signal Messenger acl
CONNECT method CONNECT http_access deny !Safe_ports http_access
deny CONNECT !SSL_ports http_access allow localhost manager
http_access deny manager http_access allow localnet http_access
allow localhost http_reply_access allow localnet http_reply_access
allow localhost acl ident_aware_hosts src 198.168.x.x/24
ident_lookup_access allow ident_aware_hosts ident_lookup_access
deny all http_access deny all http_reply_access deny all http_port
3128 coredump_dir /var/cache/squid refresh_pattern ^ftp: 1440 20%
10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i
(/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
cache_effective_user proxy cache_effective_group proxy|

Thank you for your help.

Regards.

Bob.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users