[squid-users] Adobe CC behing Squid

[Verwaiser]

Hello,
I'm trying to realize the Adobe CC Programs to work on workstations behind
our Squid (Debian 8, Squid 3.5). We are using user authentification to a
LDAP-Server.

Is there anyone with experiences how to make this work?

Adobe gives some informations:
https://helpx.adobe.com/de/creative-cloud/kb/proxy-authentication-support-creative-cloud.html

But I don't exactly know if Squid is a proxy with "PAC-URL", but it seems to
me to be so.

This link shows the adresses needed for access:
https://helpx.adobe.com/content/dam/help/attachments/Creative_Cloud_for_enterprise_Service_Endpoints.pdf

It shows a long address list:
*.adobesc.com
*.licenses.adobe.com
*.adobelogin.com
*.ftcdn.net
*.behance.net
*.adobedtm.com
*.demdex.net
*.demandbase.com
*.adobeoobe.com
*.macromedia.com adbemdigitalmediarebootprod2.112.2o7.net
*.edgefonts.net
*.adobejanus.com
*.adobesunbreak.com
*. adobeccstatic.com
[...]

and many more, but which acls should I use to open access for those urls?
I tried:

##
acl adobedl dstdomain .adobe.com
http_access allow adobedl
always_direct allow adobedl
##

or:

##
acl alleRechner src 192.168.2.0/20
acl w7aktivierung dstdomain "/etc/squid3/w7akt"
http_access allow w7aktivierung alleRechner
##

with file w7akt containing:

swupmf.adobe.com
swupdl.adobe.com
amparex.net
adobelogin.com
adobeoobe.com
[...]

and many others



Any ideas?

Thanks for your help,

Holger!




--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Adobe CC behing Squid

[Amos Jeffries]

On 26/06/18 08:09, Verwaiser wrote:
> Hello,
> I'm trying to realize the Adobe CC Programs to work on workstations behind
> our Squid (Debian 8, Squid 3.5). We are using user authentification to a
> LDAP-Server.
> 
> Is there anyone with experiences how to make this work?

Question is:

* do these applications use HTTP?

 The docs you reference seem to indicate the answer is yes.


* what do you see happening?


> 
> Adobe gives some informations:
> https://helpx.adobe.com/de/creative-cloud/kb/proxy-authentication-support-creative-cloud.html
> 
> But I don't exactly know if Squid is a proxy with "PAC-URL", but it seems to
> me to be so.

Please read the FAQ section on auto-configuration:
 

> 
> Any ideas?

Follow the Adobe instructions?

They do not mention having to add any special bypass rules for the proxy
to work. If your clients are allowed to use the proxy these applications
should "just work".

Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Adobe CC behing Squid

[Amos Jeffries]

On 26/06/18 20:53, admin wrote:
> Hello Amos,
>
> Adobe Cloud starts and asks correctly  for proxy-authentification.
> Then it tries to connect and gets a timeout and tries and...
>
> In Access.log I only see a connect to Adobe.com:
> TCP_TUNNEL:HIER_DIRECT
>

Hmm, that sounds like the traffic is either a) not going to the proxy
like it should, or b) going inside the tunnel.

If (a) it could be a routing issue, or a bug in the ACC software.

If (b) the credentials are not relevant except to the CONNECT message.
Do those CONNECT messages you see in the log ever contain the required
credentials?


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Adobe CC behing Squid

[Mika Ristimäki]

Hi,

IIRC Adobe CC connects to a HTTPS server in localhost. This seems to confirm it
https://helpx.adobe.com/creative-cloud/kb/proxy-authentication-support-creative-cloud.html#Unterst%C3%BCtzungf%C3%BCrPACDateien

> In an enterprise environment, Creative Cloud Libraries must connect to 
>localhost for the Libraries panel in applications to sync correctly. 
>Therefore, if you're using Libraries, set localhost and 127.0.0.1 to bypass 
>the proxy server for the enterprise environment.

You need to make sure that connections to localhost do not go to the proxy.

-Mika
On 26 Jun 2018, 3.31 +0300, Amos Jeffries , wrote:
> On 26/06/18 08:09, Verwaiser wrote:
> > Hello,
> > I'm trying to realize the Adobe CC Programs to work on workstations behind
> > our Squid (Debian 8, Squid 3.5). We are using user authentification to a
> > LDAP-Server.
> >
> > Is there anyone with experiences how to make this work?
>
> Question is:
>
> * do these applications use HTTP?
>
> The docs you reference seem to indicate the answer is yes.
>
>
> * what do you see happening?
>
>
> >
> > Adobe gives some informations:
> > https://helpx.adobe.com/de/creative-cloud/kb/proxy-authentication-support-creative-cloud.html
> >
> > But I don't exactly know if Squid is a proxy with "PAC-URL", but it seems to
> > me to be so.
>
> Please read the FAQ section on auto-configuration:
> 
>
> >
> > Any ideas?
>
> Follow the Adobe instructions?
>
> They do not mention having to add any special bypass rules for the proxy
> to work. If your clients are allowed to use the proxy these applications
> should "just work".
>
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Adobe CC behing Squid

[Verwaiser]

Hello,
what would be the right way to implement the authentification bypass list
linked from adobe:
https://helpx.adobe.com/content/dam/help/attachments/Creative_Cloud_for_enterprise_Service_Endpoints.pdf

I can write the list into a file, ok, but how can I setup the acl for
correct bypassig all the adresses from this list?
Is the "allways_direct" acl right? Should I place it before the LDAP
authentication part in squid.conf? Is there more to work on?

Holger



--
Sent from: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Adobe CC behing Squid

[Amos Jeffries]

On 28/06/18 07:06, Verwaiser wrote:
> Hello,
> what would be the right way to implement the authentification bypass list
> linked from adobe:
> https://helpx.adobe.com/content/dam/help/attachments/Creative_Cloud_for_enterprise_Service_Endpoints.pdf
> 

Ouch. Rather a lot of domain names and explicitly states that it is
incomplete.

Some of them are *extremely* popular (eg Twitter, Google Maps, Google
Play Store). WTF why does ACC need Google Maps access?


Maybe looking for a User-Agent header string matching the tools that
break will narrow it down to not allowing just anyone access to all
those services.


> I can write the list into a file, ok, but how can I setup the acl for
> correct bypassig all the adresses from this list?
> Is the "allways_direct" acl right?

No. 'always_direct allow' means "dont use any cache_peer for this request".

There is no "bypass" directive. Every directive that you have configured
a need for auth to happen needs adjusting such that it also works
without that auth requirement when your new ACL(s) match the transaction.


> Should I place it before the LDAP
> authentication part in squid.conf?

Yes. For every directive which currently requires an auth related test,
place a test which matches the 'bypass' ACL first, OR make it so that
you don't have to require the auth details at that point.
 NP: The latest Squid versions note ACL type which can be useful here to
test username (the note named 'user' contains the username) without
requiring that it exists nor triggering auth.


The 'best practice' design is to configure http_access with an ordered
structure like so:

 # The default / recommended security checks at the top
 # ending at that default line "INSERT YOUR CUSTOM RULES BELOW HERE."

 # custom allow/deny rules that do not need auth

 # authenticate
 http_access deny !login

 # custom allow/deny rules that need auth credentials

 # and finally ...
 http_access deny all


The rest of your settings can assume that auth has taken place already
(*if* necessary) and not re-test it themselves.



> Is there more to work on?

Everything which uses an authentication, username, or group ACL test
needs looking at to see whether a bypass is needed.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Adobe CC behing Squid

[Eliezer Croitoru]

Hey Amos,

Today in many environments there is a very wide usage of ON-LINE 
"libraries" since...

the server or a cache node is just "2 meters" from the developer.
(Picture the nearby Internet BOX being pointed as "This is the 
Internet")
For me a 1MB file is still seems like too much for an Android APP in 
many case but
the world is changing and a kernel of more then 1MB is embedded in 
everyday devices around the globe.
I used to have huge disks for 80MB but today the in the same disk size 
you can store TB's of data(20+++).
I am sure that it's a global issue but the demand for traffic and 
on-line content is rising.


Just 10 years ago I had to have a huge wall filled with books to do 
little research but today I have a local DB

which contains literally rooms filled with books and is searchable.

I believe that the admin should understand a bit http\https to allow all 
these.
The next step is Google ROOT CA but... SSL-BUMP bumped everybody so not 
only Google and FaceBook have their own ROOT CA.


This thread proves that there are out-there admins that think and ask 
which makes me be happy.

It means that stupidity has not spread to some places like this list.

Eliezer


On 2018-06-27 22:56, Amos Jeffries wrote:

On 28/06/18 07:06, Verwaiser wrote:

Hello,
what would be the right way to implement the authentification bypass 
list

linked from adobe:
https://helpx.adobe.com/content/dam/help/attachments/Creative_Cloud_for_enterprise_Service_Endpoints.pdf



Ouch. Rather a lot of domain names and explicitly states that it is
incomplete.

Some of them are *extremely* popular (eg Twitter, Google Maps, Google
Play Store). WTF why does ACC need Google Maps access?


Maybe looking for a User-Agent header string matching the tools that
break will narrow it down to not allowing just anyone access to all
those services.



I can write the list into a file, ok, but how can I setup the acl for
correct bypassig all the adresses from this list?
Is the "allways_direct" acl right?


No. 'always_direct allow' means "dont use any cache_peer for this 
request".


There is no "bypass" directive. Every directive that you have 
configured

a need for auth to happen needs adjusting such that it also works
without that auth requirement when your new ACL(s) match the 
transaction.




Should I place it before the LDAP
authentication part in squid.conf?


Yes. For every directive which currently requires an auth related test,
place a test which matches the 'bypass' ACL first, OR make it so that
you don't have to require the auth details at that point.
 NP: The latest Squid versions note ACL type which can be useful here 
to

test username (the note named 'user' contains the username) without
requiring that it exists nor triggering auth.


The 'best practice' design is to configure http_access with an ordered
structure like so:

 # The default / recommended security checks at the top
 # ending at that default line "INSERT YOUR CUSTOM RULES BELOW HERE."

 # custom allow/deny rules that do not need auth

 # authenticate
 http_access deny !login

 # custom allow/deny rules that need auth credentials

 # and finally ...
 http_access deny all


The rest of your settings can assume that auth has taken place already
(*if* necessary) and not re-test it themselves.




Is there more to work on?


Everything which uses an authentication, username, or group ACL test
needs looking at to see whether a bypass is needed.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


--

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users