I have been asked to setup a proxy that will provide a
measure of security between the Internet and a web server
that is running inside a protected network. The idea is
as follows:
1) Requests come into the Squid proxy from an Internet user
to access a timesheet application. If the user has not
logged in, Squid asks the user to login before continuing
(possibly via ncsa_auth).
2) Once the user has successfully authenticated, Squid
forwards traffic between the user on the Internet and the
web server running a timesheet application on an internal
network.
The purpose of the Squid proxy is to serve as a guardian
between the internal web application server and the external
Internet. If they can't successfully authenticate to the Squid
proxy, the internal web server will never see them.
I am running Squid 2.5 STABLE3 on a RedHat Linux 9 server.
I have configured the Squid prozy to forward to a specific
IP address once authentication succeeds. I am able to run
ncsa_auth at the shell and get it to authenticate a userid
and password combination successfully. However, when I try
to run this on the Squid server, it passes the command through
to the server without any attempt to authenticate. This is
a copy of the config I am using (all comments removed):
debug_options ALL,1 33,2 28,9
http_port 10.0.100.31:3128
http_port 10.0.100.31:80
icp_port 0
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log /usr/local/squid/var/logs/store.log
mime_table /usr/local/squid/etc/mime.conf
auth_param basic program /usr/local/squid/bin/ncsa_auth
/usr/local/squid/etc/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl foo proxy_auth REQUIRED
acl all src 0/0
http_access allow foo
http_access deny all
tcp_outgoing_address 172.16.80.2
cache_effective_user proxy
cache_effective_group proxy
cachemgr_passwd disable all
From everything I have read, this should accomplish what I
am trying to do. Nonetheless, it does not authenticate.
With comprehensive debugging turned on, I get the following
results:
2003/06/18 17:32:25| aclMatchAcl: checking 'acl all src 0/0'
2003/06/18 17:32:25| aclMatchIp: '255.255.255.255' found
2003/06/18 17:32:25| aclMatchAclList: returning 1
2003/06/18 17:32:25| aclCheckFast: list: 0x8207518
2003/06/18 17:32:25| aclMatchAclList: checking all
2003/06/18 17:32:25| aclMatchAcl: checking 'acl all src 0/0'
2003/06/18 17:32:25| aclMatchIp: '255.255.255.255' found
2003/06/18 17:32:25| aclMatchAclList: returning 1
2003/06/18 17:32:25| The reply for GET / is ALLOWED, because it matched 'all'
If you notice the last line, it says the GET is allowed
because it matched "all". But if you look at the config,
the only match for all I see is an "http_access deny all"
statement. I have a couple of questions:
1) Could this behavior be a bug? If so, what version of
Squid should I run?
2) Does anyone have a Squid config that will accomplish
what I am trying to do?
3) Or maybe I am using the wrong tool for the job -- does
anyone have a suggestion for something that will do what
I am trying to accomplish?
I have configured Squid plenty of times as a cacheing proxy
server with good success, but trying to use it as a firewall
proxy has my a little puzzeled right now. Thanks in advance
for any help.
Dave
Received on Mon Jun 23 2003 - 19:00:27 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:35 MST