[squid-users] ACL matches when it shouldn't
> None of the file entries are anchored regex. So any one of them could match. >> Can anyone please let me know if there's a match, or how to enable debugging >> to see which record in this ACL is actually triggering the denial? > > To do that we will need to see the complete and exact URL which is being > blocked incorrectly. One of them is https://www.google.com/. > NP: a large number of that files entries can be far more efficiently blocked > using the dstdomain ACL type. For example: > > acl blacklist dstdomain .appspot.com Agreed. However, this file is generated by an external process I don't control (SOC). It's like a "threat feed" I need to load in Squid. The easiest way for me would be to tell Squid that it's just a list of exact URLs, not a list of regexps. I understand that's not possible. This list comes with entries such as: https://domain.org/?something={whatever}&other=(this) So, if I don't want Squid to complain I process it a little before serving it to it and the above line becomes: https://domain.org/\?something=\{whatever}&other=\(this) You mention anchoring them... So now I adjusted the processing and the above becomes: ^https://domain.org/\?something=\{whatever}&other=\(this)$ I'm still getting the same denial when a client tries to access https://www.google.com/. This is what I can see in cache.log: client_side_request.cc(751) clientAccessCheckDone: The request GET https://www.google.com/ is DENIED; last ACL checked: bad_dst_urls I'm also seeing other denials such as: client_side_request.cc(751) clientAccessCheckDone: The request GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt is DENIED; last ACL checked: bad_dst_urls If I grep http://www.microsoft.com/pki/certs in the ACL file I get no results at all. That's why I'm puzzled. So here's the new anchored regex file in case you have the chance to test it and reproduce the issue: https://drive.google.com/file/d/1ZUP9eRAqLzMG162xHfYRV9vx_47kWuXs/view?usp=sharing Squid doesn't complain about syntax errors so I'm assuming the ACL is as expected. Thanks, Vieri ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] measuring latency of squid in different scenarios
Hi Rafal, if you wish I've a manual redacted in SPANISH for build a VM whit Debian 10.5 running SQUID compiled from source, with kerberos and LDAP authentication, plus AD groups authorizations. I haven't had time to translate it into English yet. Let me know if it works for you and I'll share it with you. Best regards, Gabriel El lun., 28 sep. 2020 10:19, Rafał Stanilewicz escribió: > Hello, > > I'm planning the deployment of web proxy in my environment. It's not very > big, around 80 typical windows 10 workstations, active directory, plus some > DMZ servers. For now, there is very basic L7 inspection on the edge > firewall. > > I plan to use two separate squid instances, one for explicit proxy > traffic, forced by AD GPO settings, and second for traffic still being sent > directly to the Internet (as several applications we use tend to ignore the > system proxy settings). The first instance will use (hopefully) AD > authentication, while the second will use only srcIP-based rules. I will be > grateful for any comments, what should I focus on, or some quirks - I've > never deployed squid from scratch. > > But my main point of writing is: > > I'd like to get some numbers about squid-introduced latency of getting > some particular web resource. Is there any benchmarking program I could > use? I'd like to see what is the current latency of getting the resource > without any proxying, then of getting the same resource with explicit proxy > settings, then of implicit (intercepting) proxy option, as well as for > different options of caching. > > How should I start? Is there any software I can use to measure that, > besides analysis of HAR files? > > So far, I used squid only in home environment, and without a need for > granular measurement. > > Best regards, > > Rafal Stanilewicz > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How te deal with proxy authentication bypass
Thank you Amos as always. My current configuration has not changed much, it is as follows: visible_hostname s-px4.mydomain.local http_port 3128 error_directory /opt/squid-503/share/errors/es-ar forwarded_for transparent shutdown_lifetime 0 seconds quick_abort_min 0 KB quick_abort_max 0 KB quick_abort_pct 100 read_timeout 5 minutes request_timeout 3 minutes cache_mem 1024 MB maximum_object_size_in_memory 4 MB memory_cache_mode always ipcache_size 2048 fqdncache_size 4096 cache_mgr support@mydomain.local httpd_suppress_version_string on coredump_dir /opt/squid-503/var/cache/squid auth_param negotiate program /opt/squid-503/libexec/negotiate_kerberos_auth -i -r -s GSS_C_NO_NAME auth_param negotiate children 300 startup=150 idle=10 auth_param negotiate keep_alive on auth_param basic program /opt/squid-503/libexec/basic_ldap_auth -P -R -b "dc=mydomain,dc=local" -D "cn=ldap,cn=Users,dc=mydomain,dc=local" -W /opt/squid-503/etc/ldappass.txt -f sAMAccountName=%s -h s-dc00.mydomain.local auth_param basic children 30 auth_param basic realm Proxy Authentication auth_param basic credentialsttl 4 hour external_acl_type NO_INTERNET_USERS ttl=3600 negative_ttl=3600 %LOGIN /opt/squid-503/libexec/ext_kerberos_ldap_group_acl -g INTERNET_OFF -i -D MYDOMAIN.LOCAL acl NO_INTERNET external NO_INTERNET_USERS acl SSL_ports port 443 acl SSL_ports port 8543 # LiveU Central acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 81 # coto "yo te conozco" donkey ports acl Safe_ports port 623 # coto "yo te conozco" donkey ports acl Safe_ports port 8543# LiveU Central management acl Safe_ports port 18255 # LiveU Central files download acl Safe_ports port 33080 # ddjj acl Safe_ports port 9090# asociart acl Safe_ports port 8713# handball results acl Safe_ports port 8080# cponline.org.ar # Lists of domains and IPs acl LS_winupddom dstdomain "/opt/squid-503/acl/winupddom.txt" acl LS_whitedomains dstdomain "/opt/squid-503/acl/whitedomains.txt" acl LS_blackdomains dstdomain "/opt/squid-503/acl/blackdomains.txt" acl LS_porn dstdomain "/opt/squid-503/acl/porn.txt" acl DOM_Malware dstdomain "/opt/squid-503/acl/DOM_Malware.txt" acl IP_Malware dst -n "/opt/squid-503/acl/IP_Malware.txt" acl LS_webex dstdomain "/opt/squid-503/acl/webex.txt" # Access lists acl http proto http acl port_80 port 80 acl port_443 port 443 acl port_9000 port 9000 acl port_5061 port 5061 acl port_5065 port 5065 acl CONNECT method CONNECT # Denied internet to member users of INTERNET_OFF group http_access deny NO_INTERNET all # Allow webex without authentication http_access allow http port_80 LS_webex http_access allow CONNECT port_443 LS_webex http_access allow port_9000 LS_webex http_access allow port_5061 LS_webex http_access allow port_5065 LS_webex http_access deny LS_blackdomains http_access deny LS_porn http_access deny DOM_Malware http_access deny IP_Malware # default SQUID rules http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny to_localhost http_access allow localhost # Apply 20Mbit/s QoS to members of Active Directory Authenticated Users group acl Domain_Users note group AQUAAAUV7TIfbORUj8PLQv4YAQIAAA== delay_pools 1 delay_class 1 1 delay_parameters 1 250/250 delay_access 1 allow Domain_Users # Allow authenticated users to use internet and deny to all others acl authenticated proxy_auth REQUIRED http_access allow authenticated http_access deny all Thank you very much in advance for your valuable help. Best regards Gabriel El mar., 29 de sep. de 2020 a la(s) 07:46, Amos Jeffries ( squ...@treenet.co.nz) escribió: > On 29/09/20 3:55 am, Service MV wrote: > > In my case I have the domains, for example from webex, which I get from > > their official support page. It seems that I am doing something wrong or > > I am not understanding well. > > I base on this documentation > > https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass > > > > The error I get is 407. I understand I should not request authentication > > to those domains with the configuration I have, but apparently it does. > > > > In the (possibly outdated now) config you showed earlier the > "NO_INTERNET" ACL might produce a 407 if credentials are completely > missing, but not re-auth if they are invalid. > If you wish to have a free audit please post your current squid.conf > rules and I will comment on useful changes. > > > > Below I have a bandwidth control configuration with acl note, I don't > > know if that will be triggering the webex client authentication request.
[squid-users] ACL matches when it shouldn't
Hi, I have a url_regex ACL loaded with this file: https://drive.google.com/file/d/1C5aZqPfMD3qlVP8zvm67c9ZnXUfz-cEW/view?usp=sharing Then I have an access denial like so: http_access deny bad_dst_urls Problem is that I am not expecting to block, eg. https://www.google.com, but I am. I know it's this ACL because if I remove the htttp_access deny line above, the browser can access just fine. I've been looking around this file for possible matches for google.com, but there shouldn't be. Can anyone please let me know if there's a match, or how to enable debugging to see which record in this ACL is actually triggering the denial? I'm trying with: debug_options rotate=1 ALL,1 85,2 88,2 Then I grep the log for bad_dst_urls and DENIED, but I can't seem to find a clear match. Regards, Vieri ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] ACL matches when it shouldn't
On 30/09/20 2:27 am, Vieri wrote: > Hi, > > I have a url_regex ACL loaded with this file: > > https://drive.google.com/file/d/1C5aZqPfMD3qlVP8zvm67c9ZnXUfz-cEW/view?usp=sharing > > Then I have an access denial like so: > > http_access deny bad_dst_urls > > Problem is that I am not expecting to block, eg. https://www.google.com, but > I am. > I know it's this ACL because if I remove the htttp_access deny line above, > the browser can access just fine. > > I've been looking around this file for possible matches for google.com, but > there shouldn't be. None of the file entries are anchored regex. So any one of them could match. > > Can anyone please let me know if there's a match, or how to enable debugging > to see which record in this ACL is actually triggering the denial? To do that we will need to see the complete and exact URL which is being blocked incorrectly. NP: a large number of that files entries can be far more efficiently blocked using the dstdomain ACL type. For example: acl blacklist dstdomain .appspot.com Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] acl for urls without regex
Hi, Is it possible to create an ACL from a text file containing URLs without treating them as regular expressions? Otherwise, I get errors of this kind: ERROR: invalid regular expression: 'https://whatever.net/auth_hotmail/?user={email}&email={email}': Invalid content of \{\} Regards, Vieri ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] How te deal with proxy authentication bypass
On 29/09/20 3:55 am, Service MV wrote: > In my case I have the domains, for example from webex, which I get from > their official support page. It seems that I am doing something wrong or > I am not understanding well. > I base on this documentation > https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass > > The error I get is 407. I understand I should not request authentication > to those domains with the configuration I have, but apparently it does. > In the (possibly outdated now) config you showed earlier the "NO_INTERNET" ACL might produce a 407 if credentials are completely missing, but not re-auth if they are invalid. If you wish to have a free audit please post your current squid.conf rules and I will comment on useful changes. > Below I have a bandwidth control configuration with acl note, I don't > know if that will be triggering the webex client authentication request. > Maybe someone with more experience can tell me. "note" ACL will match if the data is available but not trigger authentication sequences. That is what makes it so useful for fast-group access checking logins. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users