[squid-users] Re: Kerberos authentication that doesn't block
> On 30/08/2013 4:32 a.m., Trever L. Adams wrote: >> Hello everyone, >> >> I am having a difficult time. I am not just trying to do something >> similar to >> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass, but >> without blocking most sites for unauthenticated users. > > It is a key property of secure authentication such as Kerberos that no client *starts* by shotgunning their credentials to unknown recipients. > I understand this. And I understand the Squid has to challenge. >> The sites I need to block except for certain groups / authentication, >> etc., are not known at http_access time, only at http_reply_access time. >> >> Because of this, I am not sure how to trigger the negotiate process and >> not block authenticated users. The below does not work. I am not sure >> why it doesn't, but it does block on access control / authentication for >> all web sites, not just the category blocked (yes, I left the deny on >> http_reply_access out below, but it exists). > > How are you defining "blocking"? > > And how do you expect authentication to be performed without credentials to verify? > > Amos I get an error if no credentials or incorrect credentials are sent. It comes up and says "Cache Access Denied" or some such. I have unauthenticated guests on the network in question. These should fail to authenticate or refuse to as the case may be. They should be able to access most web pages. The problem is there are some categories (AI page classifier in use here) of pages that should only be available to a subset of authenticated users. So, somehow, I need to try to get users to authenticate. Things should work whether or not they do. If they do, and they are in appropriate groups (looking at writing a lua external acl at the moment, but the wbinfo one can be used if not) then they can access certain categories. I do have transparent proxying working, so if this cannot be done, I may just have the users not authenticating use that, but that defeats the caching part of the setup which is very much desired. Thank you for the response and any help that may be offered, Trever signature.asc Description: OpenPGP digital signature
[squid-users] Kerberos authentication that doesn't block
Hello everyone, I am having a difficult time. I am not just trying to do something similar to http://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass, but without blocking most sites for unauthenticated users. The sites I need to block except for certain groups / authentication, etc., are not known at http_access time, only at http_reply_access time. Because of this, I am not sure how to trigger the negotiate process and not block authenticated users. The below does not work. I am not sure why it doesn't, but it does block on access control / authentication for all web sites, not just the category blocked (yes, I left the deny on http_reply_access out below, but it exists). auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth auth_param negotiate children 10 auth_param negotiate keep_alive on acl authenticated_users proxy_auth http_access allow !authenticated_users all http_access allow authenticated_users all http_reply_access allow TextConfidenceSolid SOME_ACL authenticated_users http_reply_access allow TextConfidenceSolid ANOTHER_ACL authenticated_users I would greatly appreciate any help in figuring this out. Thank you, Trever signature.asc Description: OpenPGP digital signature
Re: Re: [squid-users] Authentication of non-standard methods
On 12/11/2012 05:32 PM, Amos Jeffries wrote: > On 12.12.2012 11:33, Trever L. Adams wrote: >> Hello Everyone, >> >> I am looking at Shibboleth. I have seen one example >> >> (http://www.switch.ch/aai/support/presentations/opcom-201105/AAI-OpCom-AAI_for_mandatory_authentication_and_proxy_usage.pdf) >> >> for using it with Squid. I am afraid it makes no sense to me. >> >> I am afraid I do not know much about Shibboleth yet. It has three >> components for authentication, user, password, domain. It has to use >> redirects, etc. >> >> I see an easy way for this to work, but need help figuring it out. >> >> If a user isn't authenticated, I need to send them to a url. > > > acl bounce src all > acl auth proxy_auth REQUIRED > deny_info 307:http://example.com/ bounce > http_access deny !auth bounce > > ... but see below... > >> >> How do I know if a user is authenticated? Well, it seems that this is >> going to have to be passing the requesting client's ip address to a >> program and get the response back if they are authenticated or not. > > NOTE: user != IP address. Therefore user authentication doe not imply > IP address is authenticated, particularly in HTTP where one client (IP > address) can be presenting traffic from multiple users. > Essentially stateful connection-based authentication and stateless > HTTP do not mix well - as is constantly being 'discovered' by NTLM > people. Yes, I had this reservation, but I need to figure out something. This is a private proxy to general Internet, so some fudging for the time being may be ok. > > >> It >> would be nice if I could pass a user name, but I am not sure how to do >> this as this would require interaction with the browser and this should >> be SSO. > > The ACLs above pass the Proxy-Authenticate header to a helper program > for authentication tests. That header contains username and security > token, sometimes domain if the auth type uses domains. > > SSO is a property of the *backend* accepting the credentials supplied > by the client to Squid. SSO is simply the process of the backend > accepting the same credentials from multiple services (Squid being one). > It is no more different than a user signing up at two separate > websites with identical username/password details and being able to > login to both. The problem with Shibboleth is it is SAML and requires a domain that is plain text (select from a drop down dialog). Hence the need to redirect to a webpage to select and enter things. RFC 6128 (is that right? the http auth stuff?) doesn't seem to allow a webpage to give credentials to be used for the next page. I do not know even if it does, if it would work for proxy auth. I suppose it might be possible to have them enter a bogus password and their full home user name (u...@example.org) which seems to be returned by Shibboleth authentication. The problem then is, I need a secure way of sharing the data between the proxy_auth stuff and the page where they get redirected so that the two can be linked in a common database. Is there a way to do this? > >> >> If no, then do a url_rewrite_access (I am assuming this is correct)? > > redirector helper is one way to do it. But these must first accept the > request for processing (http_access allow). It is more efficient to do > the above ACLs I listed and alter the denial message sent by Squid > into a 307 redirect message. > > ** redirectors like external ACL helpers, do not perform HTTP > authentication. Just authorization. Can you show me an example of a redirector? (If I am just missing one in the docs, a url is fantastic) I think a redirector is how the url I posted did things, but I couldn't figure it out. > >> >> Finally, is it possible to have multiple authentication algorithms? > > When using Proxy-Authenticate: yes of course. But not with redirector? > >> Some >> of the users will be local and be able to do krb5/spnego. So, if at all >> possible, I would like to have the option of trying krb5, then spnego, >> then Shibboleth. > > I suggest you work along the lines of using an external_acl_type > helper for Shibboleth. Since it is more about authorization of a > request to be processed than authenticating that the source IP is a > genuine user account. > > > You can use localnet ACL or a similar check for internal/external > clients to skip or require the authentication with Negotiate/kerberos. > > > Amos Well, this is on a home network where various filtering would be required for different users (think of that for homes where parents think porn is ok for them but bad for children, or more likely that certain health or other categories are appropriate/needed by certain people, but inappropriate for young children, etc.) Thank you for the help, Trever signature.asc Description: OpenPGP digital signature
[squid-users] Authentication of non-standard methods
Hello Everyone, I am looking at Shibboleth. I have seen one example (http://www.switch.ch/aai/support/presentations/opcom-201105/AAI-OpCom-AAI_for_mandatory_authentication_and_proxy_usage.pdf) for using it with Squid. I am afraid it makes no sense to me. I am afraid I do not know much about Shibboleth yet. It has three components for authentication, user, password, domain. It has to use redirects, etc. I see an easy way for this to work, but need help figuring it out. If a user isn't authenticated, I need to send them to a url. How do I know if a user is authenticated? Well, it seems that this is going to have to be passing the requesting client's ip address to a program and get the response back if they are authenticated or not. It would be nice if I could pass a user name, but I am not sure how to do this as this would require interaction with the browser and this should be SSO. So, is it possible to do an auth_param to a special program that just looks at the ip address? Have it return yes/no for if it is an authenticated session? If no, then do a url_rewrite_access (I am assuming this is correct)? Finally, is it possible to have multiple authentication algorithms? Some of the users will be local and be able to do krb5/spnego. So, if at all possible, I would like to have the option of trying krb5, then spnego, then Shibboleth. Thank you for any help, Trever signature.asc Description: OpenPGP digital signature
Re: Re: Re: [squid-users] adaptation_access and rep_mime_type -- It doesn't seem to work
On 01/-10/-28163 12:59 PM, Amos Jeffries wrote: > And these are tested for RESPMOD services right? > > I was suspecting you hit the bug about RESPMOD not being passed the > request details correctly. The SoftwareUpdateAgent and > SoftwareUpdateDomain would always be failed-match with that bug and > thus inverted to be "true" in standardChain. I am not sure. I may have had an error in my ACLs, things are working now. Part of the problem was my c-icap configuration. There is going to be a new mode added to the virus scanning module which will solve part of the problem. > > Lot of overlap there. It will reduce down to this: > > acl StreamMime rep_mime_type -i > application/(octet-stream|x-mplayer2|x-oleobject|x-pncmd) > acl StreamMime rep_mime_type -i audio|video|flv|flash > Thank you, I will use these, although it may be unnecessary. Trever -- "Life is what happens to you when you're busy making other plans." -- John Lennon signature.asc Description: OpenPGP digital signature
Re: Re: [squid-users] adaptation_access and rep_mime_type -- It doesn't seem to work
On 01/-10/-28163 12:59 PM, Amos Jeffries wrote: > On 15/04/11 20:46, Trever L. Adams wrote: >> I am using squid 3.1.10. I have a virus scanner and a content classifier >> (to build content filter with Squid ACLs). The virus scanner has several >> modes. One scans transparently and passes on data in chunks. I have this >> working for various update sites, etc. >> >> However, I need to run streaming media through this. So I have acls like >> this: >> acl StreamMime rep_mime_type -i ^video/ >> acl StreamMime rep_mime_type -i ^audio/ >> >> adaptation_access updatesChain allow StreamMime > These would be the sites using flash multimedia. Which are neither > video/* nor audio/* media. > > Try with: > acl MediaMime rep_mime_type -i audio|video|flv|flash > Yes, I had flash covered in another rule, I forgot to paste it. Sorry. > > Should be working. But its not easy to tell what is going wrong > without the rest of the configuration context. Specifically everything > about "updatesChain". > > Amos adaptation_service_chain standardChain svcClassify svcVirusScan adaptation_service_chain updatesChain svcClassify svcVirusScanUpdates adaptation_access standardChain allow !SoftwareUpdateAgent !SoftwareUpdateDomain !SoftwareUpdateMime !StreamMime adaptation_access standardChain deny all adaptation_access updatesChain allow SoftwareUpdateAgent adaptation_access updatesChain allow SoftwareUpdateDomain adaptation_access updatesChain allow SoftwareUpdateMime adaptation_access updatesChain allow StreamMime adaptation_access updatesChain deny all These are c_icap modules. svcClassify is one I have written but haven't upstreamed yet. (Still trying to get a good base trained set for people to use.) It is currently set to only process images (flash, video, etc. is ignored with 204). The virus modules are the same, one is in a virulator mode (where anything over a certain size isn't directly downloaded). The other (updatesChain) is in a simple mode which should work well for streaming. My entire StreamMime: acl StreamMime rep_mime_type -i ^video/ acl StreamMime rep_mime_type -i ^audio/ acl StreamMime rep_mime_type -i ^application/octet-stream$ acl StreamMime rep_mime_type -i application/octet-stream acl StreamMime rep_mime_type -i ^application/x-mplayer2$ acl StreamMime rep_mime_type -i application/x-mplayer2 acl StreamMime rep_mime_type -i ^application/x-oleobject$ acl StreamMime rep_mime_type -i application/x-oleobject acl StreamMime rep_mime_type -i application/x-pncmd acl StreamMime rep_mime_type -i ^application/x-shockwave-flash$ acl StreamMime rep_mime_type -i audio|video|flv|flash SoftwareUpdate* is too big to post here. It works except (even mime types) which I cannot explain. Thank you, Trever -- "In protocol design, perfection has been reached not when there is nothing left to add, but when there is nothing left to take away." -- RFC1925: The Twelve Networking Truths signature.asc Description: OpenPGP digital signature
[squid-users] adaptation_access and rep_mime_type -- It doesn't seem to work
I am using squid 3.1.10. I have a virus scanner and a content classifier (to build content filter with Squid ACLs). The virus scanner has several modes. One scans transparently and passes on data in chunks. I have this working for various update sites, etc. However, I need to run streaming media through this. So I have acls like this: acl StreamMime rep_mime_type -i ^video/ acl StreamMime rep_mime_type -i ^audio/ adaptation_access updatesChain allow StreamMime The problem is, Squid doesn't seem to process the Mime types correctly because it ends up in another chain (where it is denied). Does this even work? If not, can it be made to work? I would do it by file types, but a lot of streaming media doesn't have file extensions. (Youtube, news sites, etc.) Thank you for any and all help, Trever -- "All that is necessary for the triumph of evil is that enough good men do nothing." -- Edmund Burke signature.asc Description: OpenPGP digital signature
Re: Re: [squid-users] transparent squid + clamav + https
On 01/-10/-28163 12:59 PM, Henrik Nordström wrote: > Yes. See the "viralator" mode of c-icap srv_clamav. > The service supports 3 different modes of download management > > - Wait with response until scanning have completed > - Send some data of the file while scanning is performed to keep the > client patiently waiting. > - "viralator" mode showing progress while scanning is done, and then > redirecting to a "download" URL when complete > > The problem with viralator mode is that it may break some things as it > responds with another response while scanning. > > Regards > Henrik > > Using acls in Squid, this can be avoided. I am doing that here and allow things like Trend Micro, Microsoft, Mozilla, etc. update services (based on whatever criteria I can which is most restrictive) to us the some data mode, everything else is Viralator mode. Trever -- "Anger is momentary madness." -- Horace signature.asc Description: OpenPGP digital signature
Re: Re: [squid-users] Custom error message on acl deny
On 01/-10/-28163 12:59 PM, Amos Jeffries wrote: > http://www.squid-cache.org/Doc/config/deny_info/ is what you want. > It's linked to the name of the ACL being used last on the denial line. > > NP: If your rule tuning does not naturally allow unique ACL names at > the end of all lines you may need to define some dummy ACL to appnd to > the lines like so: acl denied1 src all > > Amos Thank you. That works fantastically. Trever -- "If a revolution destroys a systematic government, but the systematic patterns of thought that produced that government are left intact, then those patterns will repeat themselves in the succeeding government." -- Robert M. Pirsig signature.asc Description: OpenPGP digital signature
[squid-users] Custom error message on acl deny
Hello everyone, I am trying to set up custom error messages based on http_reply_access deny. I have many different ones, I want custom error messages for several, is this possible? The closest I am seeing is http://www.squid-cache.org/Doc/config/error_map/ Thank you, Trever Adams -- "Love is friendship set on fire." -- French Proverb signature.asc Description: OpenPGP digital signature
Re: Re: [squid-users] acl rep_header SomeRule X-HEADER-ADDED-BY-ICAP
On 01/-10/-28163 12:59 PM, Chris Robertson wrote: > Considering the fact that icap_access relies on ACLs, my guess would > be ICAP is adding the headers after the rep_header ACL is evaluated. > >> Is this possible with ICAP + Squid, or is it a bug, or just not >> possible? >> > > Run two Squid instances. One using ICAP to add the headers, the other > blocking based on headers present. > > Chris > I am guessing then that there is no clean way of adding such functionality. So, can you please tell me what configuration option I would use to tell the acl acting Squid to talk to the upstream ICAP acting Squid? Thank you, Trever -- "Avert misunderstanding by calm, poise, and balance." -- Unknown signature.asc Description: OpenPGP digital signature
[squid-users] acl rep_header SomeRule X-HEADER-ADDED-BY-ICAP
I seem to be having trouble with acl rep_header trying to match against an X-Header added by ICAP from the squid server in question. acl TextAdultContent rep_header X-TEXT-CATEGORYadult.* acl TextConfidenceSolid rep_header X-TEXT-CATEGORY-CONFIDENCE SOLID acl TextConfidenceAmbiguous rep_header X-TEXT-CATEGORY-CONFIDENCE AMBIGUOUS http_access deny TextAdultContent TextConfidenceSolid I do not get any errors on loading, but it doesn't deny the connection. I do see the X-Headers in question in Firefox + FireBug so I know the correct ones are set. Is this possible with ICAP + Squid, or is it a bug, or just not possible? Thank you, Trever Adams -- "Better to remain silent and be thought a fool than to speak out and remove all doubt." -- A. Lincoln signature.asc Description: OpenPGP digital signature
