Re: [squid-users] ACLs and localhost
this is my config hepworth squid # grep ^acl /etc/squid/squid.conf acl all src 0.0.0.0/0.0.0.0 acl SSL_ports port 443 acl Safe_ports port 80 # http snip acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT acl andrew proxy_auth acl emma proxy_auth acl QUERY urlpath_regex cgi-bin \? acl apache rep_header Server ^Apache acl testing time MTWHF 07:30-08:00 hepworth squid # grep ^http_access /etc/squid/squid.conf http_access deny !Safe_ports http_access allow emma testing http_access allow andrew localhost http_access deny all hepworth squid # and logging in as andrew denies a poage with this 2008/03/31 20:56:37| Starting Squid Cache version 2.6.STABLE17 for i686-pc-linux-gnu... 2008/03/31 20:56:37| Process ID 8806 2008/03/31 20:56:37| With 1024 file descriptors available 2008/03/31 20:56:37| Using epoll for the IO loop 2008/03/31 20:56:37| DNS Socket created at 0.0.0.0, port 32780, FD 6 2008/03/31 20:56:37| Adding domain home.nw from /etc/resolv.conf 2008/03/31 20:56:37| Adding nameserver 192.168.0.254 from /etc/resolv.conf 2008/03/31 20:56:37| helperOpenServers: Starting 5 'ncsa_auth' processes 2008/03/31 20:56:38| User-Agent logging is disabled. 2008/03/31 20:56:38| Referer logging is disabled. 2008/03/31 20:56:38| Unlinkd pipe opened on FD 17 2008/03/31 20:56:38| Swap maxSize 102400 KB, estimated 7876 objects 2008/03/31 20:56:38| Target number of buckets: 393 2008/03/31 20:56:38| Using 8192 Store buckets 2008/03/31 20:56:38| Max Mem size: 8192 KB 2008/03/31 20:56:38| Max Swap size: 102400 KB 2008/03/31 20:56:38| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2008/03/31 20:56:38| Rebuilding storage in /var/cache/squid (CLEAN) 2008/03/31 20:56:38| Using Least Load store dir selection 2008/03/31 20:56:38| Set Current Directory to /var/cache/squid 2008/03/31 20:56:38| Loaded Icons. 2008/03/31 20:56:38| Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 19. 2008/03/31 20:56:38| Accepting ICP messages at 0.0.0.0, port 3130, FD 20. 2008/03/31 20:56:38| HTCP Disabled. 2008/03/31 20:56:38| WCCP Disabled. 2008/03/31 20:56:38| Ready to serve requests. 2008/03/31 20:56:38| Done reading /var/cache/squid swaplog (2219 entries) 2008/03/31 20:56:38| Finished rebuilding storage from disk. 2008/03/31 20:56:38| 2219 Entries scanned 2008/03/31 20:56:38| 0 Invalid entries. 2008/03/31 20:56:38| 0 With invalid flags. 2008/03/31 20:56:38| 2219 Objects loaded. 2008/03/31 20:56:38| 0 Objects expired. 2008/03/31 20:56:38| 0 Objects cancelled. 2008/03/31 20:56:38| 0 Duplicate URLs purged. 2008/03/31 20:56:38| 0 Swapfile clashes avoided. 2008/03/31 20:56:38| Took 0.3 seconds (6503.0 objects/sec). 2008/03/31 20:56:38| Beginning Validation Procedure 2008/03/31 20:56:38| Completed Validation Procedure 2008/03/31 20:56:38| Validated 2219 Entries 2008/03/31 20:56:38| store_swap_size = 18264k 2008/03/31 20:56:39| storeLateRelease: released 0 objects 2008/03/31 20:56:44| aclCheckFast: list: 0x82ab588 2008/03/31 20:56:44| aclMatchAclList: checking all 2008/03/31 20:56:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/31 20:56:44| aclMatchIp: '127.0.0.1' found 2008/03/31 20:56:44| aclMatchAclList: returning 1 2008/03/31 20:56:44| aclCheck: checking 'http_access deny !Safe_ports' 2008/03/31 20:56:44| aclMatchAclList: checking !Safe_ports 2008/03/31 20:56:44| aclMatchAcl: checking 'acl Safe_ports port 80 # http' 2008/03/31 20:56:44| aclMatchAclList: no match, returning 0 2008/03/31 20:56:44| aclCheck: checking 'http_access allow emma testing' 2008/03/31 20:56:44| aclMatchAclList: checking emma 2008/03/31 20:56:44| aclMatchAcl: checking 'acl emma proxy_auth ' 2008/03/31 20:56:44| aclMatchAcl: returning 0 sending credentials to helper. 2008/03/31 20:56:44| aclMatchAclList: no match, returning 0 2008/03/31 20:56:44| aclCheck: checking password via authenticator 2008/03/31 20:56:45| aclCheck: checking 'http_access allow emma testing' 2008/03/31 20:56:45| aclMatchAclList: checking emma 2008/03/31 20:56:45| aclMatchAcl: checking 'acl emma proxy_auth ' 2008/03/31 20:56:45| aclMatchUser: user is andrew, case_insensitive is 0 2008/03/31 20:56:45| Top is (nil), Top-data is Unavailable 2008/03/31 20:56:45| aclMatchUser: returning 0,Top is (nil), Top-data is Unavailable 2008/03/31 20:56:45| aclMatchAclList: no match, returning 0 2008/03/31 20:56:45| aclCheck: checking 'http_access allow andrew ' 2008/03/31 20:56:45| aclMatchAclList: checking andrew 2008/03/31 20:56:45| aclMatchAcl: checking 'acl andrew proxy_auth ' 2008/03/31 20:56:45| aclMatchUser: user is andrew, case_insensitive is 0 2008/03/31 20:56:45| Top is (nil), Top-data is Unavailable 2008/03/31 20:56:45| aclMatchUser: returning 0,Top is (nil), Top-data is Unavailable 2008/03/31 20:56:45| aclMatchAclList: no match, returning 0 2008/03/31 20:56:45| aclCheck: checking 'http_access deny all' 2008/03/31 20:56:45| aclMatchAclList: checking all 2008/03/31
Re: [squid-users] ACLs and localhost
so is what i want to do actually possible ? unixlogin emma logged into VT7 unixlogin andrew - VT8 web page request from either - squid requests login if its emma !testing - access denied if its emma testing - access allowed switch to VT8 ( andrews desktop) web page request - squid requests login if its andrew - access allowed if its emma !testing (eg kids messing around) - access denied hepworth squid # grep ^auth_param /etc/squid/squid.conf auth_param basic program /usr/libexec/squid/ncsa_auth /etc/squid/htpasswd hepworth squid # grep ^acl /etc/squid/squid.conf | grep -v '#' acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 acl purge method PURGE acl CONNECT method CONNECT acl andrew proxy_auth REQUIRED acl emma proxy_auth REQUIRED acl QUERY urlpath_regex cgi-bin \? acl apache rep_header Server ^Apache acl testing time MTWHF 07:30-08:00 hepworth squid # grep ^http /etc/squid/squid.conf | grep -v '#' http_port 3128 http_access allow emma testing http_access allow andrew http_access deny all hepworth squid # 008/03/25 15:04:03| aclMatchIp: '127.0.0.1' found 2008/03/25 15:04:03| aclMatchAclList: returning 1 2008/03/25 15:04:03| aclCheck: checking 'http_access allow emma testing' 2008/03/25 15:04:03| aclMatchAclList: checking emma 2008/03/25 15:04:03| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED' 2008/03/25 15:04:03| aclCacheMatchAcl: cache hit on acl '0x82a7cc8' 2008/03/25 15:04:03| aclMatchAclList: checking testing 2008/03/25 15:04:03| aclMatchAcl: checking 'acl testing time MTWHF 07:30-08:00' 2008/03/25 15:04:03| aclMatchTime: checking 904 in 450-480, weekbits=3e 2008/03/25 15:04:03| aclMatchAclList: no match, returning 0 2008/03/25 15:04:03| aclCheck: checking 'http_access allow andrew ' 2008/03/25 15:04:03| aclMatchAclList: checking andrew 2008/03/25 15:04:03| aclMatchAcl: checking 'acl andrew proxy_auth REQUIRED' 2008/03/25 15:04:03| aclCacheMatchAcl: cache hit on acl '0x82a7d38' but i havent AFAIK logged in , in this browser session, as andrew ( the browser cache is flushed when its closed so is this login stored in the cache somewhere ? I need to flush the cache when i change user ? 2008/03/25 15:04:03| aclMatchAclList: returning 1 2008/03/25 15:04:03| aclCheck: match found, returning 1 2008/03/25 15:04:03| aclCheckCallback: answer=1 2008/03/25 15:04:03| The request GET http://grolma.no-ip.org/favicon.ico is ALLOWED, because it matched 'andrew' 2008/03/25 15:04:03| aclCheck: checking 'cache deny QUERY' 2008/03/25 15:04:03| aclMatchAclList: checking QUERY 2008/03/25 15:04:03| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?' 2008/03/25 15:04:03| aclMatchRegex: checking '/favicon.ico' 2008/03/25 15:04:03| aclMatchRegex: looking for 'cgi-bin' 2008/03/25 15:04:03| aclMatchRegex: looking for '\?' 2008/03/25 15:04:03| aclMatchAclList: no match, returning 0 2008/03/25 15:04:03| aclCheck: NO match found, returning 1 2008/03/25 15:04:03| aclCheckCallback: answer=1 2008/03/25 15:04:03| aclCheckFast: list: 0x8481608 2008/03/25 15:04:03| aclMatchAclList: checking all 2008/03/25 15:04:03| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/25 15:04:03| aclMatchIp: '127.0.0.1' found 2008/03/25 15:04:03| aclMatchAclList: returning 1 2008/03/25 15:04:03| aclCheck: checking 'http_reply_access allow all' 2008/03/25 15:04:03| aclMatchAclList: checking all 2008/03/25 15:04:03| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/25 15:04:03| aclMatchIp: '127.0.0.1' found 2008/03/25 15:04:03| aclMatchAclList: returning 1 2008/03/25 15:04:03| aclCheck: match found, returning 1 2008/03/25 15:04:03| aclCheckCallback: answer=1 2008/03/25 15:04:03| The reply for GET http://grolma.no-ip.org/favicon.ico is ALLOWED, because it matched 'all'
Re: [squid-users] ACLs and localhost
there is something in all this i really am not understanding.Sorry to be
so stupid.
AIUI now, it looks at the ACLs and processes them until it finds one that
matches, and then it stops matching them and allows access. It will only
deny a page when its has processed all the ACLS and NOT found a match.
if i have only 1 authenticated user (emma) then the time based ACL
('testing') it denies access as it should .
When i add another user access (http_access allow andrew) the browser
authentication box comes up , i put in 'emma' and it gives me access.
Im restarting squid and clearing the browser cache between all these
attempts.
hepworth emma # grep ^acl /etc/squid/squid.conf |grep -v 'Safe'
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443
acl purge method PURGE
acl CONNECT method CONNECT
acl andrew proxy_auth REQUIRED
acl emma proxy_auth REQUIRED
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
acl testing time MTWHF 07:30-08:00
hepworth emma # grep ^http /etc/squid/squid.conf
http_port 3128
http_access allow emma testing
http_access deny localhost
http_access deny all
hepworth emma #
2008/03/24 09:52:44| aclCheckFast: list: 0x82ab370
2008/03/24 09:52:44| aclMatchAclList: checking all
2008/03/24 09:52:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found
2008/03/24 09:52:44| aclMatchAclList: returning 1
2008/03/24 09:52:44| aclCheck: checking 'http_access allow emma testing'
2008/03/24 09:52:44| aclMatchAclList: checking emma
2008/03/24 09:52:44| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
2008/03/24 09:52:44| aclMatchUser: user is emma, case_insensitive is 0
2008/03/24 09:52:44| Top is (nil), Top-data is Unavailable
2008/03/24 09:52:44| aclMatchUser: user REQUIRED and auth-info present.
2008/03/24 09:52:44| aclMatchAclList: checking testing
2008/03/24 09:52:44| aclMatchAcl: checking 'acl testing time MTWHF
07:30-08:00'
2008/03/24 09:52:44| aclMatchTime: checking 592 in 450-480, weekbits=3e
2008/03/24 09:52:44| aclMatchAclList: no match, returning 0
2008/03/24 09:52:44| aclCheck: checking 'http_access deny localhost'
2008/03/24 09:52:44| aclMatchAclList: checking localhost
2008/03/24 09:52:44| aclMatchAcl: checking 'acl localhost src
127.0.0.1/255.255.255.255'
2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found
2008/03/24 09:52:44| aclMatchAclList: returning 1
2008/03/24 09:52:44| aclCheck: match found, returning 0
2008/03/24 09:52:44| aclCheckCallback: answer=0
2008/03/24 09:52:44| The request GET http://grolma.no-ip.org/ is DENIED,
because it matched 'localhost'
2008/03/24 09:52:44| The reply for GET http://grolma.no-ip.org/ is
ALLOWED, because it matched 'localhost'
2008/03/24 09:52:44| aclCheckFast: list: 0x82ab370
2008/03/24 09:52:44| aclMatchAclList: checking all
2008/03/24 09:52:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found
2008/03/24 09:52:44| aclMatchAclList: returning 1
2008/03/24 09:52:44| aclCheck: checking 'http_access allow emma testing'
2008/03/24 09:52:44| aclMatchAclList: checking emma
2008/03/24 09:52:44| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
2008/03/24 09:52:44| aclCacheMatchAcl: cache hit on acl '0x82a7cc8'
2008/03/24 09:52:44| aclMatchAclList: checking testing
2008/03/24 09:52:44| aclMatchAcl: checking 'acl testing time MTWHF
07:30-08:00'
2008/03/24 09:52:44| aclMatchTime: checking 592 in 450-480, weekbits=3e
2008/03/24 09:52:44| aclMatchAclList: no match, returning 0
2008/03/24 09:52:44| aclCheck: checking 'http_access deny localhost'
2008/03/24 09:52:44| aclMatchAclList: checking localhost
2008/03/24 09:52:44| aclMatchAcl: checking 'acl localhost src
127.0.0.1/255.255.255.255'
2008/03/24 09:52:44| aclMatchIp: '127.0.0.1' found
2008/03/24 09:52:44| aclMatchAclList: returning 1
2008/03/24 09:52:44| aclCheck: match found, returning 0
2008/03/24 09:52:44| aclCheckCallback: answer=0
2008/03/24 09:52:44| The request GET http://grolma.no-ip.org/favicon.ico
is DENIED, because it matched 'localhost'
2008/03/24 09:52:44| The reply for GET http://grolma.no-ip.org/favicon.ico
is ALLOWED, because it matched 'localhost'
hepworth emma # grep ^acl /etc/squid/squid.conf |grep -v 'Safe_ports'
as before
hepworth emma # cat /etc/squid/squid.conf |grep ^http
http_port 3128
http_access allow emma testing
http_access allow andrew
http_access deny localhost
http_access deny all
hepworth emma #
2008/03/24 09:56:04| aclCheckFast: list: 0x82ab640
2008/03/24 09:56:04| aclMatchAclList: checking all
2008/03/24 09:56:04| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2008/03/24 09:56:04| aclMatchIp: '127.0.0.1' found
2008/03/24 09:56:04| aclMatchAclList: returning 1
2008/03/24 09:56:04| aclCheck: checking 'http_access allow emma testing'
2008/03/24 09:56:04| aclMatchAclList: checking emma
2008/03/24 09:56:04| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED'
2008/03/24 09:56:04|
[squid-users] ACLs and localhost
4 users , 1 machine, with squid running and a GUI Im having problems getting the time-based ACLs sorted. To test it ive added a sat/sun ACL which should allow access between 08:00 and 10:00 Config 1 hepworth emma # cat /etc/squid/squid.conf |grep ^acl acl all src 0.0.0.0/0.0.0.0 acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 22 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT acl andrew proxy_auth REQUIRED acl emma proxy_auth REQUIRED acl QUERY urlpath_regex cgi-bin \? acl apache rep_header Server ^Apache acl weekends time SA 08:00-10:00 acl beforeschool time MTWHF 07:30-09:00 acl afterschool time MTWHF 16:00-20:00 hepworth emma # cat /etc/squid/squid.conf |grep ^http http_port 3128 http_access allow emma weekends http_access allow Safe_ports http_access allow andrew http_access deny localhost http_access deny all it asks me for a login (emma) and then gives access 2008/03/23 16:05:44| aclCheckFast: list: 0x82a7748 2008/03/23 16:05:44| aclMatchAclList: checking all 2008/03/23 16:05:44| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/23 16:05:44| aclMatchIp: '127.0.0.1' found 2008/03/23 16:05:44| aclMatchAclList: returning 1 2008/03/23 16:05:44| aclCheck: checking 'http_access allow emma weekends' 2008/03/23 16:05:44| aclMatchAclList: checking emma 2008/03/23 16:05:44| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED' 2008/03/23 16:05:44| aclMatchAcl: returning 0 sending authentication challenge. 2008/03/23 16:05:44| aclMatchAclList: no match, returning 0 2008/03/23 16:05:44| aclCheck: requiring Proxy Auth header. 2008/03/23 16:05:44| aclCheck: match found, returning 2 2008/03/23 16:05:44| aclCheckCallback: answer=2 2008/03/23 16:05:44| The request GET http://grolma.no-ip.org/ is DENIED, because it matched 'emma' 2008/03/23 16:05:44| The reply for GET http://grolma.no-ip.org/ is ALLOWED, because it matched 'emma' 2008/03/23 16:05:49| aclCheckFast: list: 0x82a7748 2008/03/23 16:05:49| aclMatchAclList: checking all 2008/03/23 16:05:49| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/23 16:05:49| aclMatchIp: '127.0.0.1' found 2008/03/23 16:05:49| aclMatchAclList: returning 1 2008/03/23 16:05:50| aclCheck: checking 'http_access allow emma weekends' 2008/03/23 16:05:50| aclMatchAclList: checking emma 2008/03/23 16:05:50| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED' 2008/03/23 16:05:50| aclMatchAcl: returning 0 sending credentials to helper. 2008/03/23 16:05:50| aclMatchAclList: no match, returning 0 2008/03/23 16:05:50| aclCheck: checking password via authenticator 2008/03/23 16:05:50| aclCheck: checking 'http_access allow emma weekends' 2008/03/23 16:05:50| aclMatchAclList: checking emma 2008/03/23 16:05:50| aclMatchAcl: checking 'acl emma proxy_auth REQUIRED' 2008/03/23 16:05:50| aclMatchUser: user is emma, case_insensitive is 0 2008/03/23 16:05:50| Top is (nil), Top-data is Unavailable 2008/03/23 16:05:50| aclMatchUser: user REQUIRED and auth-info present. 2008/03/23 16:05:50| aclMatchAclList: checking weekends 2008/03/23 16:05:50| aclMatchAcl: checking 'acl weekends time SA 08:00-10:00' 2008/03/23 16:05:50| aclMatchTime: checking 965 in 480-600, weekbits=41 2008/03/23 16:05:50| aclMatchAclList: no match, returning 0 2008/03/23 16:05:50| aclCheck: checking 'http_access allow Safe_ports' 2008/03/23 16:05:50| aclMatchAclList: checking Safe_ports 2008/03/23 16:05:50| aclMatchAcl: checking 'acl Safe_ports port 80 # http' 2008/03/23 16:05:50| aclMatchAclList: returning 1 2008/03/23 16:05:50| aclCheck: match found, returning 1 2008/03/23 16:05:50| aclCheckCallback: answer=1 2008/03/23 16:05:50| The request GET http://grolma.no-ip.org/ is ALLOWED, because it matched 'Safe_ports' 2008/03/23 16:05:50| aclCheck: checking 'cache deny QUERY' 2008/03/23 16:05:50| aclMatchAclList: checking QUERY 2008/03/23 16:05:50| aclMatchAcl: checking 'acl QUERY urlpath_regex cgi-bin \?' 2008/03/23 16:05:50| aclMatchRegex: checking '/' 2008/03/23 16:05:50| aclMatchRegex: looking for 'cgi-bin' 2008/03/23 16:05:50| aclMatchRegex: looking for '\?' 2008/03/23 16:05:50| aclMatchAclList: no match, returning 0 2008/03/23 16:05:50| aclCheck: NO match found, returning 1 2008/03/23 16:05:50| aclCheckCallback: answer=1 2008/03/23 16:05:50| clientProcessHit: HIT 2008/03/23 16:05:50| aclCheckFast: list: 0x82a7df8 2008/03/23 16:05:50| aclMatchAclList: checking all 2008/03/23 16:05:50| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/23 16:05:50| aclMatchIp: '127.0.0.1' found 2008/03/23 16:05:50|
Re: [squid-users] OT: Removing unused lines
grep ^[A-Za-z] /etc/squid/squid.conf to include lines that start with spaces grep ^[A-Za-z\ ] /etc/squid/squid.conf
[squid-users] writing my own authenticator
so ip_user wont actually do what i want ( the book isnt clear actually
what it is there for) - thanks Henrik
what i want is to get the currently logged-in user and pass it to squid
which will then authenticate against that with no further dialog boxes etc
. i can then add eg time-based ACLs
So i thought id try my own. eventually i suspect i'll use gewtpwuid() and
look up in /etc/passwd.
#!/usr/bin/perl -wl
$|=1;
my @names=(andrew,anne,nick,emma);
my $username = `whoami` or die Couldn't execute command: $!;
chomp($username);
open (F, '/tmp/data.txt');
print F $username\n;
close (F);
my $i=0;
while ($i$#names)
{
if ($names[$i] eq $username){print OK user=$username;exit;}
$i++;
}
print ERR;
and this returns the current user and writes it to the file.
my squid.conf
hepworth andrew # cat /etc/squid/squid.conf |grep ^acl
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl purge method PURGE
acl CONNECT method CONNECT
acl annes external MyAclHelper
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
hepworth andrew # cat /etc/squid/squid.conf |grep ^http
http_access Safe_ports allow
http_access allow annes
http_access deny all
http_port 3128
hepworth andrew # cat /etc/squid/squid.conf |grep ^external
external_acl_type MyAclHelper /etc/squid/myaclhelper
hepworth andrew #
do i need an auth_param directive as well ? if so what ?
so when i request a web page it asks me for a username and password and
myaclhelper doesnt write the text file. Should it be doing the
2008/03/21 12:00:16| helperOpenServers: Starting 5 'getpwname_auth' processes
line ?
hepworth squid # /usr/local/squid/sbin/squid -N -d6
2008/03/21 12:00:16| Starting Squid Cache version 2.6.STABLE18 for
i686-pc-linux-gnu...
2008/03/21 12:00:16| Process ID 19869
2008/03/21 12:00:16| With 1024 file descriptors available
2008/03/21 12:00:16| Using epoll for the IO loop
2008/03/21 12:00:16| Performing DNS Tests...
2008/03/21 12:00:16| Successful DNS name lookup tests...
2008/03/21 12:00:16| DNS Socket created at 0.0.0.0, port 32860, FD 6
2008/03/21 12:00:16| Adding domain home.nw from /etc/resolv.conf
2008/03/21 12:00:16| Adding nameserver 192.168.0.254 from /etc/resolv.conf
2008/03/21 12:00:16| helperOpenServers: Starting 5 'getpwname_auth' processes
2008/03/21 12:00:16| Unlinkd pipe opened on FD 17
2008/03/21 12:00:16| Swap maxSize 102400 KB, estimated 7876 objects
2008/03/21 12:00:16| Target number of buckets: 393
2008/03/21 12:00:16| Using 8192 Store buckets
2008/03/21 12:00:16| Max Mem size: 8192 KB
2008/03/21 12:00:16| Max Swap size: 102400 KB
2008/03/21 12:00:16| Rebuilding storage in /usr/local/squid/var/cache (CLEAN)
2008/03/21 12:00:16| Using Least Load store dir selection
2008/03/21 12:00:16| Current Directory is /etc/squid
2008/03/21 12:00:16| Loaded Icons.
2008/03/21 12:00:16| Accepting proxy HTTP connections at 0.0.0.0, port
3128, FD 19.
2008/03/21 12:00:16| Accepting ICP messages at 0.0.0.0, port 3130, FD 20.
2008/03/21 12:00:16| WCCP Disabled.
2008/03/21 12:00:16| Ready to serve requests.
2008/03/21 12:00:17| Done reading /usr/local/squid/var/cache swaplog (688
entries)
2008/03/21 12:00:17| Finished rebuilding storage from disk.
2008/03/21 12:00:17| 688 Entries scanned
2008/03/21 12:00:17| 0 Invalid entries.
2008/03/21 12:00:17| 0 With invalid flags.
2008/03/21 12:00:17| 688 Objects loaded.
2008/03/21 12:00:17| 0 Objects expired.
2008/03/21 12:00:17| 0 Objects cancelled.
2008/03/21 12:00:17| 0 Duplicate URLs purged.
2008/03/21 12:00:17| 0 Swapfile clashes avoided.
2008/03/21 12:00:17| Took 0.4 seconds (1801.4 objects/sec).
2008/03/21 12:00:17| Beginning Validation Procedure
2008/03/21 12:00:17| Completed Validation Procedure
2008/03/21 12:00:17| Validated 688 Entries
2008/03/21 12:00:17| store_swap_size = 4320k
2008/03/21 12:00:17| storeLateRelease: released 0 objects
Re: [squid-users] writing my own authenticator
I think im also confused about the interaction between the browser, squid and external authenticators in spite of reading Ch12 several times. it says ..Ch6 lists tokens you can pass from squid - helper and external ACL helper interface allows additional information from helper to squid ...as keyword=value pairs. so browser -request to squid the %LOGIN in the external helper examples refers to an authenticated user obtained by another (squid - exclusively squid???) process (eg NCSA/PAM etc) request then goes : squid- helper . the helper can do what it likes and returns a string to squid. if the string is ERR then squid will deny access. If it is OK then squid allows access to the cache . In addition the user=xxx can also be passed back from the helper to squid. Can squid then use this user as the basis for an ACL ? so why did my perl example that outputs a file to the disk not write the file, which it did when executed from the CL. How do i see the data that is going to and from the helper and verify its executing the helper as i expect.? Sorry to have so many questions. Is there anything that goes into any more detail than Squid - the definitive guide?
Re: [squid-users] debugging ACLs
ive got it configured like this logformat squid %tl %ru %Ss %ru %un %ul %ue %ea external_acl_type ip_user_helper %SRC %LOGIN /usr/libexec/squid/ip_user_check -f /etc/squid/ip_user.conf [EMAIL PROTECTED] ~ $ cat /etc/squid/ip_user.conf 127.0.0.1 ALL hepworth squid # cat /etc/squid/squid.conf |grep ^acl acl all src 0.0.0.0/0.0.0.0 acl ip_user externalip_user_helper acl QUERY urlpath_regex cgi-bin \? acl apache rep_header Server ^Apache hepworth squid # cat /etc/squid/squid.conf |grep ^http http_access allow ip_user http_access deny all http_port 3128 hepworth squid # and the output is this [EMAIL PROTECTED] ~ $ tail -n1 /var/log/squid/access.log 20/Mar/2008:14:07:57 + http://www.google.com/ TCP_DENIED http://www.google.com/ - - - - [EMAIL PROTECTED] ~ $ 2008/03/20 14:07:57| aclCheckFast: list: 0x82a7748 2008/03/20 14:07:57| aclMatchAclList: checking all 2008/03/20 14:07:57| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/20 14:07:57| aclMatchIp: '127.0.0.1' found 2008/03/20 14:07:57| aclMatchAclList: returning 1 2008/03/20 14:07:57| aclCheck: checking 'http_access allow ip_user' 2008/03/20 14:07:57| aclMatchAclList: checking ip_user 2008/03/20 14:07:57| aclMatchAcl: checking 'acl ip_user external ip_user_helper' 2008/03/20 14:07:57| aclMatchAcl: returning 0 sending authentication challenge. 2008/03/20 14:07:57| aclMatchAclList: no match, returning 0 2008/03/20 14:07:57| aclCheck: requiring Proxy Auth header. 2008/03/20 14:07:57| aclCheck: match found, returning 2 2008/03/20 14:07:57| aclCheckCallback: answer=2 2008/03/20 14:07:57| The request GET http://www.google.com/ is DENIED, because it matched 'ip_user' 2008/03/20 14:07:57| The reply for GET http://www.google.com/ is ALLOWED, because it matched 'ip_user' the pages arent being server. according to the logfile %un %ul %ue %ea arent set
Re: [squid-users] debugging ACLs
OS= gentoo linux squid = 2.6.17
Re: [squid-users] debugging ACLs
so ive tried to simplify this to see if i can work out whats going on squid 2.6.17 on gentoo linux /etc/squid/ip_user.conf 127.0.0.1 ALL /etc/squid/squid.conf hepworth andrew # grep ^[a-z] /etc/squid/squid.conf auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 1 hours auth_param basic casesensitive off external_acl_type ip_user_helper %SRC %LOGIN /usr/libexec/squid/ip_user_check -f /etc/squid/ip_user.conf acl all src 0.0.0.0/0.0.0.0 acl hepworth external ip_user_helper http_access allow hepworth http_access deny all icp_access allow all http_port 3128 hierarchy_stoplist cgi-bin ? access_log /var/log/squid/access.log squid debug_options ALL,1 33,2 28,9 acl QUERY urlpath_regex cgi-bin \? cache deny QUERY refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl apache rep_header Server ^Apache broken_vary_encoding allow apache visible_hostname AnnesHouse forwarded_for off coredump_dir /var/cache/squid hepworth andrew # and i use a browser to get http://www.bbc.co.uk which - cache access denied and this in cache.log 2008/03/19 21:37:16| aclCheckFast: list: 0x82a76f0 2008/03/19 21:37:16| aclMatchAclList: checking all 2008/03/19 21:37:16| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/19 21:37:16| aclMatchIp: '127.0.0.1' found 2008/03/19 21:37:16| aclMatchAclList: returning 1 2008/03/19 21:37:16| aclCheck: checking 'http_access allow hepworth' 2008/03/19 21:37:16| aclMatchAclList: checking hepworth 2008/03/19 21:37:16| aclMatchAcl: checking 'acl hepworth external ip_user_helper' 2008/03/19 21:37:16| aclMatchAcl: returning 0 sending authentication challenge. 2008/03/19 21:37:16| aclMatchAclList: no match, returning 0 2008/03/19 21:37:16| aclCheck: requiring Proxy Auth header. 2008/03/19 21:37:16| aclCheck: match found, returning 2 2008/03/19 21:37:16| aclCheckCallback: answer=2 2008/03/19 21:37:16| The request GET http://www.bbc.co.uk/ is DENIED, because it matched 'hepworth' 2008/03/19 21:37:16| The reply for GET http://www.bbc.co.uk/ is ALLOWED, because it matched 'hepworth' it would appear to be authenticating the user ( ie ALL from 127.0.0.1) so where is it denying the request ?
[squid-users] debugging ACLs
is there a way to find out where the request is bing denied ? Im trying the ip_user external helper ( as per the book) external_acl_type ip_user_helper %SRC %LOGIN /usr/libexec/squid/ip_user_check -f /etc/squid/ip_user.conf and # cat /etc/squid/ip_user.conf 192.168.0.0/24 andrew hepworth squid # if it returns the user name , can i then control further access with the user name ? I get an access denied - is there a way of showing how its processing the ACLs ?
Re: [squid-users] debugging ACLs
a follow-on ive turned up debugging to debug_options ALL,1 33,2 28,9 squid.conf has hepworth andrew # cat -n /etc/squid/squid.conf |grep ip_user 405 external_acl_type ip_user_helper %SRC %LOGIN /usr/libexec/squid/ip_user_check -f /etc/squid/ip_user.conf hepworth andrew # hepworth andrew # cat -n /etc/squid/squid.conf |grep andr 563 acl andrew ext_user andrew 642 http_access allow andrew hepworth andrew # Ive tried in ip_user.conf (LAN IP address for this machine is 192.168.0.200 ) 192.168.0.0/24 andrew 127.0.0.1 andrew the relevant bit ( i think) of the output 2008/03/18 17:26:29| aclMatchAcl: checking 'acl CONNECT method CONNECT' 2008/03/18 17:26:29| aclMatchAclList: no match, returning 0 2008/03/18 17:26:29| aclCheck: checking 'http_access allow andrew' 2008/03/18 17:26:29| aclMatchAclList: checking andrew 2008/03/18 17:26:29| aclMatchAcl: checking 'acl andrew ext_user andrew' 2008/03/18 17:26:29| aclMatchAclList: no match, returning 0 2008/03/18 17:26:29| aclCheck: checking 'http_access allow our_networks' 2008/03/18 17:26:29| aclMatchAclList: checking our_networks 2008/03/18 17:26:29| aclMatchAcl: checking 'acl our_networks src 192.168.0.0/24 ' 2008/03/18 17:26:29| aclMatchIp: '127.0.0.1' NOT found 2008/03/18 17:26:29| aclMatchAclList: no match, returning 0 2008/03/18 17:26:29| aclCheck: checking 'http_access deny all' 2008/03/18 17:26:29| aclMatchAclList: checking all 2008/03/18 17:26:29| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/18 17:26:29| aclMatchIp: '127.0.0.1' found 2008/03/18 17:26:29| aclMatchAclList: returning 1 so the username authentication seems not to be getting through .
