To be honest, I'm not sure if this is easy to do (or possible for that matter) as I've combed over the squid docs and didn't find what I needed.
I am using a squid4 proxy with basic ncsa authentication. Here's what I would like to accomplish, I have two users on my proxy with ncsa authentication. I would like for one user to be able to access anything on the proxy (standard http_access allow), and the other user to be limited to a whitelist of one url that they can access.
Here is the authentication portion of my squid.conf:
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
acl squid_users proxy_auth REQUIRED
http_access deny !squid_users
http_access allow squid_users
http_access deny all
Is there a way to http_access allow/deny for only one user with authentication, or am I missing something?
I don't really know what to do for this one factor so any help would be appreciated, thanks!
you can't expect to have squid treat the users differently if you don't separate them in your config.
take a look at the "a more complex example" at: https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass
specifically, after defining the auth_param section, you should use something like:
acl UsersGroupA proxy_auth "/etc/squid/groupa.txt"
acl SitesGroupA dstdomain "/etc/squid/sites.a.txt"
acl UsersGroupB proxy_auth "/etc/squid/groupb.txt"
acl authenticated_users proxy_auth REQUIRED
# rules allowing authenticated users
http_access allow SitesGroupA UsersGroupA # this will force both whitelisted urls AND users of group "A" (the limited group)
http_access allow UsersGroupB # this will only force users of group B (the unlimited group)
# catch-all rule
http_access deny all
and additionally, if you need to specify ports, you should do that on the same line:
acl port_80 port 80
acl port_443 port 443
http_access allow http port_80 SitesGroupA UsersGroupA
http_access allow CONNECT port_443 SitesGroupA UsersGroupA
Related
How can make multiple outgoing ip address on squid proxy single server?
I have configured multiple IP as below in squid.conf file, but when I try to send request using by Proxy, it’s sending from primary IP of the server. I want to send request by virtual IP.
http_port 182.xx.xx.5:3131
http_port 182.xx.xx.6:3132
acl proxy1 src 182.xx.xx.5
acl proxy2 src 182.xx.xx.6
http_access allow proxy1
http_access allow proxy2
tcp_outgoing_address 182.xx.xx.5 proxy1
tcp_outgoing_address 182.xx.xx.5 proxy2
Please suggest me where I am wrong?
I have taken 2 Elastic IP’s in AWS EC2 and configured that to point to the instance, where i installed squid proxy. Now I need to install multiple proxy servers on same instance with different out going IPs.
I have 2 EC2 instances (one window and one linux) in same subnet. I am trying to access one instance from another via private IP but I am not able to do so.
In security groups, both instances belong to same security groups and security group allows all traffic from the same security group.
I am not even able to ping one instance from another using private IP address.
Any pointers what could be wrong here.
By default the Windows firewall will deny all inbound requests (including ping), but the firewall also contains a list of Exceptions (otherwise it would block everything!). Those Exceptions are a set of rules that describe what connections should be allowed in out-of-the-box.
To allow any additional connections, you just add a new rule to the firewall. There is a Wizard in the Windows Firewall GUI for viewing and creating rules, but i find it easier to use a PowerShell one-liner like this to allow ping:
New-NetFirewallRule -DisplayName "Inbound LAN Ping" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -RemoteAddress 192.168.1.0/24 -Action Allow
Above will allow any IP's between 192.198.1.1 ... 192.168.1.255 to send ping requests to your Windows host (all other RemoteAddress will still be ignored). I'm assuming here your Linux machine's IP is for example 192.168.1.1 and your Windows machine's IP is 192.168.1.123.
As a rule of thumb, you should only open up the minimal number of ports, to as few IP/IP ranges as possible.
This will likely be the result of Windows firewall being enabled, with default settings it will block ping access (among other things).
Disabling it should enable inbound/outbound access to work for ping. This is a temporary measure and should not be considered a permanent workaround.
You should enable whitelisting in the Windows firewall to allow the ports you would like inbound or outbound to have network access to/from other resources within the network.
More information is available in this link.
I'm using tinyproxy to reverse proxy. I have three subdomains pointed to the same server, and we need them to point to specific ports internally. That is, port 80 from any particular subdomain, mapped to a particular port. See the config example below.
The config looks like this:
Port 80
#Allow 127.0.0.1
#ReverseOnly yes
upstream 127.0.0.1:8115 "website.example.com"
upstream 127.0.0.1:3000 "api.example.com"
upstream 127.0.0.1:9000 "socket.example.com"
When I pull up any subdomain, all I get is:
Access denied
The administrator of this proxy has not configured it to service requests from your host.
Generated by tinyproxy version 1.8.3.
I cannot find adequate documentation anywhere. I'm thinking of contacting the maintainers. Please help.
I hope you already got the answer, but if you have not, here is the setting to allow client connecting to your proxy:
#
# Allow: Customization of authorization controls. If there are any
# access control keywords then the default action is to DENY. Otherwise,
# the default action is ALLOW.
#
# The order of the controls are important. All incoming connections are
# tested against the controls based on order.
#
Allow 127.0.0.1
#Allow 192.168.0.0/16
#Allow 172.16.0.0/12
#Allow 10.0.0.0/8
Allow 0.0.0.0/0
In my example here, I allow 0.0.0.0/0 because I'm configuring a reverse proxy from the Internet to my other VPS.
Also, your configuration above is for forward proxy, not reverse proxy.
To enable reverse proxy function, you need at least the following:
ConnectPort 80
ConnectPort 443
ReversePath "/" "http://<your server IP>:8080/"
ReverseOnly Yes
ReverseMagic Yes
I have a HAproxy 1.5 setup which offloads SSL in front of a couple of webservers (this way, they deal only with HTTP)
My SSL certificate is a wildcard and we are balancing to different backends based on the FQDN.
My frontend config look like this :
...
frontend my-frontend
bind ip:443 ssl crt /var/etc/haproxy/wildcard_cert.pem
mode http
log global
option httplog
option forwardfor
use_backend my-backend if { ssl_fc_sni my.domain.org }
use_backend my-backend2 if { ssl_fc_sni my2.domain.org }
acl is-domain hdr(host) -i my.domain.org
acl is-domain2 hdr(host) -i my2.domain.org
use_backend my-backend if is-domain
use_backend my-backend2 if is-domain2
...
The special option ssl_fc_sni can be used in case of SSL offloading to access to the SNI value (where the other option req_ssl_sni applies in case of SSL pass-through)
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#ssl_fc_sni
I wanted to know if ssl_fc_sni perform faster than HTTP Header extraction ACLs? Is there a chance for HAProxy to extract the SNI value and use it before reading the HTTP content, extracting the Host: Header and computing my second ACL?
Or the performance are just the same?
Thanks,
I've asked the same question on the haproxy mailing list and I got an answer:
ssl_fc_sni performs faster than hdr(host), but it will be imperceptible.
It's a bad idea to use the SNI value as a backend selector. The basic hdr(host) is definitely more standard, clean and safe.
Mailing list archive :
http://marc.info/?l=haproxy&m=144490809910124&w=2
I have the following Squid config on my server
http_access deny CONNECT !SSL_ports
If I connect to facebook use my server as proxy
curl -L 'https://facebook.com' -x 'myserver'
The request is denied, error message is TCP_DENIED/403,
but if I change the setting to
http_access allow CONNECT SSL_ports
It works.
As the Squid document said,
http_access deny CONNECT !SSL_ports
allows connect only through the SSL_ports. Why this setting denies my request?
The, ACL CONNECT will identify all the requests with the HTTP method CONNECT.
Now, let's see Squid's default configuration for using the CONNECT method:
acl SSL_ports port 443
http_access deny CONNECT !SSL_ports
By default, Squid will allow the CONNECT HTTP method only for SSL port 443, which is the
standard port for HTTPS communication. Again, we should go with the default configuration
and add more ports to the SSL_ports ACL as the need arises.