Re: [squid-users] Fwd: Problem "whitelisting" .shiprush.com

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 24 Sep 2013 23:41:05 +1200

On 24/09/2013 3:17 a.m., Chris Nighswonger wrote:
> So what am I missing in the following situation?
>
> Our mail dept uses shiprush.com. The software supplied by shiprush is
> not proxy-auth friendly, so I added a
>
> acl ShipRush dstdomain .shiprush.com
>
> and
>
> http_access allow campusnet ShipRush
>
> before my http_access line requiring authentication.
>
> Yet I still see Squid3 requesting auth [1].
> What am I doing wrong?

 From the sounds of it the auth is happening earlier than you think.
I see two FCAUser ACL tests being done above it for starters.

>
> I've supplied my squid.conf in redacted form [2]. (General comments
> welcome as well as those specific to this problem.)
>
> Kind Regards,
> Chris
>
>
> Misc Info:
>
> OS: Ubuntu 10.04.4 LTS
>
> Squid Cache: Version 3.1.6

Looks like time for an upgrade. Both that Squid and Ubuntu are quite old
now.

> [1] https://docs.google.com/file/d/0B5GhqVvpzpvjVE5MX2drM21HNW8/edit?usp=sharing
> [2] https://docs.google.com/file/d/0B5GhqVvpzpvjWjhQUnc4UDNweUk/edit?usp=sharing

> http_port x.x.x.247:3130
> http_port 127.0.0.1:3128
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY

The above QUERY details are obsolete. Squid can cache and handle such
requests properly given an update to the refresh_pattern lines (see below).

> acl apache rep_header Server ^Apache
> cache_mem 12 MB
> maximum_object_size 32768 KB
> maximum_object_size_in_memory 200 KB
> cache_dir aufs /var/spool/squid3 477184 65 256
> access_log /var/log/squid3/access.log
> cache_log /var/log/squid3/cache.log
> cache_store_log none
> cachemgr_passwd ***** all
> debug_options ALL,1
> auth_param basic program /usr/lib/squid3/squid_ldap_auth -v 3 -b
> "ou=People,dc=foo,dc=bar,dc=edu" -D
> "cn=admin,ou=People,dc=foo,dc=bar,dc=edu" -P ***** -d ldap.foo.bar.edu
> auth_param basic children 30
> auth_param basic realm Campus Proxy Server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440

Add this pattern right here:
   refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

> refresh_pattern . 0 20% 4320
> quick_abort_min 0 KB
> quick_abort_max 0 KB
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl masada src x.x.x.247/32
> acl campusnet src x.x.x.0/24 192.168.3.0/24
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 334
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 10000
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl PURGE method PURGE
> acl FTP proto FTP
> acl AuthorizedUsers proxy_auth REQUIRED
> acl WindowsUpdate dstdomain download.microsoft.com
> ntservicepack.microsoft.com .update.microsoft.com .windowsupdate.com
> windowsupdate.microsoft.com wustat.windows.com c.microsoft.com
> crl.microsoft.com watson.microsoft.com wpa.one.microsoft.com
> genuine.microsoft.com
> acl WindowsCRL dstdomain go.microsoft.com sls.microsoft.com
> crl.microsoft.com activation.sls.microsoft.com
> acl UbuntuUpdate dstdomain .ubuntu.com
> acl AdobeUpdate dstdomain .adobe.com
> acl IEPhishFilter dstdomain urs.microsoft.com
> acl Webmin src x.x.x.247-x.x.x.247/32
> acl Zipcode dstdomain dail-a-zip.com
> acl USPSShipping dstdomain webtoolsdevprod.usps.com
> production.shippingapis.com secure.shippingapis.com
> acl ShipRush dstdomain .shiprush.com
> acl UnauthAccess dstdomain update.services.openoffice.org .ibackup.com
> ding.southwest.com www.ncsecu.org .snapfish.com .viastreaming.net
> pearsonassess.com .harcourtassessment.com .linux.ncsu.edu
> yui.yahooapis.com .toshibapc.com .verisign.com .uniblue.com
> .classicsonline.com .sendtoprint.net .e-sword.com .e-sword.net .hp.com
> .strawberryperl.com .cpan.org
> acl VOIP_domain dstdomain sipprov.lgdacom.net
> acl PressUnauthAccess dstdomain ftp.edwardsbrothers.com
> acl FidelityBank dstdomain pob-w.fidelitybanknc.com .infotechalliance.com
> acl TurboTax dstdomain .intuit.com
> acl Adobe dstdomain get.adobe.com wwwimages.adobe.com
> dlmping.adobe.com ftpdownload.adobe.com armdl.adobe.com
> fpdownload.adobe.com fpdownload2.macromedia.com
> acl AntiVirusAccess dstdomain .symantechliveupdate.com .avast.com
> view.atdmt.com .avg.com .grisoft.com .grisoft.cz .trendmicro.com .ca.com
> acl SSL_Cert dstdomain .thawte.com
> acl Java browser Java/1.4 Java/1.5 Java/1.6
> acl Sun dstdomain .sun.com
> acl JavaUpdate urlpath_regex -i ^/update
> acl JavaRelated dstdomain sjremetrics.java.com
> acl Update dstdom_regex -i update
> acl Sonic dstdom_regex -i sonic
> acl InstallShield dstdom_regex -i installshield
> acl ipauthex src x.x.x.111/32 x.x.x.119/32 x.x.x.77/32 x.x.x.45/32
> x.x.x.17/32
> acl IntranetSites dstdomain .foo.bar.edu
> acl GoogleSites dstdomain .google.com
> acl iTunes dstdomain .mzstatic.com .itunes.apple.com albert.apple.com
> gs.apple.com .gcsp.cddbp.net .phobos.apple.com deimos3.apple.com
> acl CertificateServers dstdomain ocsp.entrust.net crl.entrust.net
> .public-trust.com crl.globalsign.net
> acl VPNnet src x.x.x.x/24
> acl FCAUser proxy_auth username
> acl FCATimeLimits time 16:00-17:00
> forwarded_for truncate
> follow_x_forwarded_for allow all

You may as well not have a firewall with that in your config file.
*any* client can forge entries in X-Forwarded-For header. The
"follow_x_forwarded_for allow all" makes squid trust and use *all*
possible IP address values in there.

For example any client sending the header "X-Forwarded-For: 127.0.0.1"
has completely unlimited access through your proxy thank to your first
http_access permission rule...

> http_access allow localhost
> http_access allow manager localhost
> http_access allow manager masada
> http_access deny manager
> http_access allow localhost PURGE
> http_access allow masada PURGE
> http_access deny PURGE
> http_access allow CONNECT Zipcode campusnet
> http_access allow CONNECT Safe_ports campusnet
> http_access deny CONNECT !SSL_ports
> http_access allow FTP
> http_access allow ipauthex
> http_access allow VPNnet
> http_access allow FCAUser FCATimeLimits
> http_access deny FCAUser

Your stated problem... these FCAUser ACLs perform authentication and
exist before the "allow campusnet UnauthAccess" intended auth bypass
rule below.

> http_access allow AntiVirusAccess
> http_access allow campusnet UnauthAccess
> http_access allow campusnet VOIP_domain
> http_access allow campusnet USPSShipping
> http_access allow campusnet ShipRush
> http_access allow campusnet WindowsUpdate
> http_access allow campusnet WindowsCRL
> http_access allow campusnet UbuntuUpdate
> http_access allow campusnet AdobeUpdate
> http_access allow campusnet IEPhishFilter
> http_access allow campusnet JavaRelated
> http_access allow campusnet Sun JavaUpdate
> http_access allow campusnet Java
> http_access allow campusnet Sonic Update
> http_access allow campusnet InstallShield Update
> http_access allow campusnet TurboTax
> http_access allow campusnet SSL_Cert
> http_access allow campusnet Adobe
> http_access allow campusnet PressUnauthAccess
> http_access allow campusnet IntranetSites
> http_access allow campusnet iTunes
> http_access allow campusnet CertificateServers
> http_access allow campusnet AuthorizedUsers
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> cache_mgr support_at_bar.edu
> append_domain .foo.bar.edu

NP: append_domain is not much use without dns_defnames also being set to
"on".

> store_avg_object_size 20 KB
> coredump_dir /var/spool/squid3
> client_persistent_connections on
> server_persistent_connections on
> persistent_connection_after_error on
> visible_hostname masada.foo.bar.edu
> negative_ttl 5 minutes
> negative_dns_ttl 1 minutes

Amos
Received on Tue Sep 24 2013 - 11:41:10 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 24 2013 - 12:00:04 MDT