Re: [squid-users] Ignore auth specific site

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 03 Oct 2012 11:17:13 +1300

On 03.10.2012 01:42, Leonardo Bacha Abrantes wrote:
> Hi Guys,
>
> I'm facing problems with one specific site which run java. The site
> open a window of java requesting to enter the credentials of proxy
> continuously.
> How can I ignore the authentication for an specific site ?
>

Like Kinkie already said, you will find an example in the wiki.

there are a few strange things in your config which need fixing.
Comments inline below...

> Squid Cache: Version 3.1.10
>
>
> my squid.conf:
>
> http_port xxx.xxx.xxx.xxx:3128
> append_domain .contoso.local
> cache_effective_user squid
> cache_mem 4 GB
> cache_effective_group squid
> forwarded_for off
> httpd_suppress_version_string on
> visible_hostname myserver.contoso.local
> hierarchy_stoplist cgi-bin ?

You can remove hierarchy_stoplist from squid-3.1+. It has no purpose
without cache_peer entries and in those cases the default regex patterns
are not useful nowdays anyway.

> retry_on_error on
> pipeline_prefetch on
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp --domain=contoso
> auth_param ntlm children 25
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic --domain=contoso
> auth_param basic children 15
> auth_param basic realm Para prosseguir e necessario digitar seu login
> de rede.
> auth_param basic credentialsttl 1 hours
>
> acl localnetwork src 192.168.10.0/25
> acl AuthorizedUsers proxy_auth -i "/etc/squid/default_access.acl"
> acl unlimitedBandwidth src "/etc/squid/unlimited_bandwidth"
> acl localhost src 127.0.0.1
>
> acl java browser Java/1.4 Java/1.5 Java/1.6
> http_access allow java
>
> cache_dir ufs /var/spool/squid 6144 16 256
> coredump_dir /var/spool/squid
> maximum_object_size_in_memory 1 MB
> maximum_object_size 64 MB
> minimum_object_size 0 KB
>
> acl manager proto cache_object
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 8080 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 1025-65535 # unregistered ports
> acl purge method PURGE
> acl CONNECT method CONNECT
>
>
> delay_pools 2
>
> delay_class 1 2
> delay_parameters 1 -1/-1 -1/-1
> delay_access 1 allow unlimitedBandwidth localhost
> delay_access 1 deny all

You can remove this pool entirely. It does nothing but waste CPU
calculating bandwidth usage by the matched transactions.

>
> delay_class 2 2
> delay_parameters 2 -1/-1 65536/65536
> delay_access 2 allow localnetwork !unlimitedBandwidth !localhost
> delay_access 2 deny all

Um, so limit people from the localnetwork who are not in unlimited
Bandawidth AND not going to localhost?
  Meaning anyone outside the unlimitedBandwidth contacting the localhost
has unlimited speed.

The earlier pool seems to be acting as a complicated replacement for
"delay_access 2 deny unlimitedBandwidth localhost". So, I suspect you
actually want:

   delay_pools 1
   delay_class 1 2
   delay_parameters 1 -1/-1 65536/65536

   delay_access 1 deny unlimitedBandwidth localhost
   delay_access 1 allow localnetwork
   delay_access 1 deny all

>
> http_reply_access allow AuthorizedUsers

Remove the above http_reply_access line.

It is FAR too late to bother with starting authentication. The remote
server has already been passed the request and is sending or sent the
reply back before the http_reply_access ever gets checked.

You also have "http_access allow java" above, and several lines below
which bypasses authentication on requests. Doing auth on reply for those
requests will cause the client requests to happen, then present an auth
page as the response instead of whatever the server actually produced.

> logformat combined [%tl] %un %>a %rm %Ss %Hs %ru
> access_log /var/log/squid/access.log squid
> access_log /var/log/squid/gerencia.log combined
> cache_store_log /var/log/squid/store.log
>
> redirect_program /etc/squidGuard/bin/squidGuard -c
> /usr/local/squidGuard/squidGuard.conf
> redirect_children 30
>
> http_access allow localhost unlimitedBandwidth SSL_ports
> http_access allow unlimitedBandwidth

NP: unlimitedBandwidth also has sub-meaning of "unlimited access
permissions". So allowing them access to localhost SSL ports specially
as well as "anywhere" is not useful and wastes CPU.

> http_access allow AuthorizedUsers
> http_access deny CONNECT !SSL_ports
> http_access deny all
>

A series of deny lines ending with "deny all" is almost meaningless.
The only way they could be useful is if it were testing some external
ACL lookup which had side effects on the transaction (user credentials
assignment, transaction tagging, deny_info redirect, etc).

The "deny CONNECT !SSL_ports" is also a basic security measure to
prevent clients performing blind TCP tunnels (CONNECT requests) over the
proxy to any port they choose. Your "allow java" and "allow
unlimitedBandwidth" being above this are opening massive security holes
through your proxy.

In summary, I recommend changing your http_access lines to:

  http_access deny CONNECT !SSL_ports
  http_access allow unlimitedBandwidth
  http_access allow java
  http_access allow AuthorizedUsers
  http_access deny all

>
> cache_swap_low 90
> cache_swap_high 95
>
> dns_nameservers 192.168.10.2 192.168.10.3
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i exe$ 0 50% 259200
> refresh_pattern -i zip$ 0 50% 259200
> refresh_pattern -i rar$ 0 50% 259200
> refresh_pattern -i tar\.gz$ 0 50% 259200

The above can compact down to:
   refresh_pattern -i (zip|rar|tar\.gz|exe)$ 0 50% 259200

Although I rather think you mean it to be:
   refresh_pattern -i \.(zip|rar|tar\.gz|exe)$ 0 50% 259200

> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> request_header_access All allow all

NP: permitting transaction request headers through the proxy is
default. You can remove the above request_header_access line.

HTH
Amos
Received on Tue Oct 02 2012 - 22:17:16 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 03 2012 - 12:00:03 MDT