Re: [squid-users] Problem with transparent authentication and restricted pages

From: Gonzalo Morera <gmorera_at_novell.com>
Date: Tue, 01 Feb 2011 16:34:44 +0000

Thanks a lot Amos

I really appreciate the time you spent to explain the issue. Now i see where my error was and i understand better how squid process the rules. Great learning experience.

Thanks

Gonzalo
 
>>> Amos Jeffries <squid3_at_treenet.co.nz> 1/2/2011 11:51 AM >>>
On 01/02/11 21:50, Gonzalo Morera wrote:
> Thanks Amos
>
> I'm pretty new to squid and trying to catch up as fast as i can but still some of your statement are difficult for me to understand.
>
> What i posted are all the http rules i've got. Everything works fine, except for this little issue with the IPUser.
> When a user with novell client tries to access a page and it is not a restricted, it is authenticate transparently and page is displayed. When a user with no novell client request a page, browser present the auth page and after enter username/pass, page is served or denied. Up here is fine.
> Now the remaining issue is when an IPUser request a banned page, instead to get the deny message, it get the auth page to introduce username/password. This is what i want to change, just send the forbidden.
> I've tried Chad suggestion but i still can not make it work. This is how it looks my squid.conf.
>

Oh, okay I have slightly misunderstood you earlier as well. I was
thinking you wanted the ldap_group tests to work for the IPUser people.

You are almost right. The problem is a missing rule.

For the overview of what is going on:

Each line starts with a directive stating what it does
(ie "http_access ").

Squid will process each set of access directive lines from the top down.
Tests ("acl") within each line are tested left-to-right until either:
   one fails, then skip to the next line.
   all matched, then stop checking and perform the allow/deny action.

If there is any point where Squid does not have enough information to
process a test it will stop and fetch that information.

In your case the group ACLs need to find an answer provided by the
ldap_group "external_acl_type" program. So Squid will step asside and
find that answer.
  In order to get the answer it has to first pass %LOGIN (the
username:password credentials) to the helper. So it will do the HTTP
auth challenge to get them.
  ** This is what you see as the 407 message or popup.

Hope this helps. Below I will trace this process through your config and
details where I think the problem occurs and why and what to do about it...

>
> auth_param basic program /usr/sbin/squid_ldap_auth -Z -D cn=xxxx,o=laboratorio -w xxxx -b o=laboratorio -s sub -f "(&(objectclass=User)(cn=%s))" -h 192.168.0.205 -p 389
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
>
> #
> external_acl_type IPUser ttl=7200 %SRC /etc/squid/squid_edir_iplookup.pl
> #
> external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -Z -D "cn=xxxx,o=laboratorio" -w "xxxx" -b "o=laboratorio" -s sub -f "(&(objectClass=Person)(cn=%u)(groupMembership=cn=%g,ou=servicios,ou=gye,o=laboratorio))" -h 192.168.0.205 -p 389
>

Aha, as I thought.

Use this:
   external_acl_type ldap_group %EXT_USER:none /usr/sbin...

<snip "fast" group ACL all fine>
>
>
> # Seemless automatic access based on IP address
> # Access through the "IP User" external helper
> acl Full_Access external IPUser internet_nr
> acl Restricted_Access external IPUser internet_r
>
> # Access to users prompted with username/password dialogue
> # Full access
> acl lab_Full external ldap_group internet_nr
>
> # Restricted access
> acl lab_Restricted external ldap_group internet_r
>
>
<snip initial defaults, all fine>
>
> # Domains free to all users without needing to authenticate.
> http_access allow Open_Domains
> # IP addresses of hosts that don?t need to authenticate (usually automation hosts #performing automated downloads and without a Novell client.
> http_access allow Auth_Not_Required
> # Let users with full Internet access discovered by the IPUser method go anywhere.
> http_access allow Full_Access
>
> # Let users with restricted Internet access discovered by the IPUser method go #anywhere except for the ban list
> http_access allow Restricted_Access !Banned_URLs
>

... okay thinking the IPUser bypass stuff all done?

The problem starts here.

At this point Squid has the state that:
  * "Full_Access" IPUsers have already been allowed to go anywhere. They
will never reach here.
  * "Restricted_Access" have been allowed to their safe spots

... BUT there is no rule saying what to do with "Restricted_Access"
IPUsers going to other places (ie Banned_URLs).
   Squid will keep going and hit "lab_Full" which does auth.

To solve it I would place this line right here in your config order:

  http_access deny Restricted_Access

> # If the IPUser method fails then we need to revert to username/password #authentication
> # Let users with full access who entered username/password go anywhere
> http_access allow lab_Full
> # Ban list again
> http_access deny Banned_URLs
>
<snip the rest, looks fine>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Tue Feb 01 2011 - 16:34:54 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 02 2011 - 12:00:03 MST