'Re: [squid-users] Squid with MySQL auth not denying pages with'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] Squid with MySQL auth not denying pages with
From:       prashantbhosale <bhoslepu () gmail ! com>
Date:       2017-04-27 4:01:05
Message-ID: 1493265665008-4682206.post () n4 ! nabble ! com
[Download RAW message or body]

Thanks Amos for reply!!!

> > On 27/04/17 00:04, prashantbhosale wrote:

> > I am setting up simple squid server for denying URL's. Below is my squid
> > config, URL's are getting blocked and TCP_DENIED/403 seen in access.log
> > file.
> > But not showing error message/page shown in browser.
> > 
> > Another main task that I want to do is Squid authentication with MySQL.
> > Followed the instructions provided on
> > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Mysql#Squid_Installation
> > Auth is working. But one problem is now the denied log is with
> > TCP_DENIED/407 instead of TCP_DENIED/403
> > and no user is specified in log.
> This usually means the browser did not send any credentials at all to
Squid. The 407 is Squid telling the browser it needs to login.

I agree with this, but I am authenticated on browser and these
TCP_DENIED/407 logs for the ad URL's that are present on viewing page.

> > 1493126753.944      0 x.x.x.x TCP_DENIED/407 4510 GET
> > http://tg.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRVuMwyhZnBGWkFKlkeoNe9zdlbSwQUK5o1rgEYODDhcHoF4BF2o869kBQCED3fM9dlZGIkaXhmllPjYgM%3D
> >                 
> > - HIER_NONE/- text/html
> > Below is config with MySQL auth:
> > ubuntu@proxy:~$ cat /etc/squid/squid.conf
> > auth_param basic program /usr/lib/squid3/basic_db_auth --user root
> > --password pass@123 --plaintext  --persist
> Okay ... assuming the defaults: your database name is 'squid', table
name is 'passwd', and has an 'enabled' column containing '1' for the
user account being tested.

Yes, using defaults and I have tested login on command-line also aas
ubuntu@ip-172-31-33-25:~$ /usr/lib/squid3/basic_db_auth --user root
--password pass@123 --plaintext --persist
test pass
OK


> If not then the 407 is authentication will fail due to the SQL query not
returning any useful credentials to compare with those given by the
browser(if any).

...
> > #acl db-auth proxy_auth REQUIRED
> > #http_access allow db-auth
> The above (when uncommented) will only allow authenticated users. Any
clients sending bad credentials will just skip to the next lines...
eventually reaching that "allow all". So much for requiring login.
> Better security practice is to perform checks that do not require login,
then:
   http_access deny !db-login
> then to do any allow/deny things for authenticated users.

Will give try to this.

> > acl addomain dstdomain "/etc/squid/addomains.acl"
> > http_access deny addomain
> > 
> > acl easyprivacy-regex url_regex -i "/etc/squid/easyprivacy.txt"
> > acl easylist-regex url_regex -i "/etc/squid/easylist.txt"
> > http_access deny easylist-regex
> > http_access deny easyprivacy-regex
> > 
> > http_access allow all
> Any http_access lines following this "allow all" are unreachable and
pointless.

I agree.

> > http_access allow localhost
> > 
> > http_port 3128
> > 

> Amos
_______________________________________________
> > squid-users mailing list
> > [hidden email]
> > http://lists.squid-cache.org/listinfo/squid-users



--
View this message in context: \
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-with-MySQL-auth-not-denying-pages-with-user-details-tp4682200p4682206.html
 Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic