Loading ...
Sorry, an error occurred while loading the content.

RE: [dansguardian] How to exempt specific sites from Basic-Authentication

Expand Messages
  • John D. Spinuzzi
    Are you using Squid for your proxy? ... From: dansguardian@yahoogroups.com [mailto:dansguardian@yahoogroups.com] On Behalf Of zab_crypto Sent: Monday, April
    Message 1 of 7 , Apr 16 7:42 PM
    View Source
    • 0 Attachment
      Are you using Squid for your proxy?

      -----Original Message-----
      From: dansguardian@yahoogroups.com [mailto:dansguardian@yahoogroups.com] On
      Behalf Of zab_crypto
      Sent: Monday, April 16, 2012 8:18 AM
      To: dansguardian@yahoogroups.com
      Subject: [dansguardian] How to exempt specific sites from
      Basic-Authentication

      Hi all,
      i just setup dans+squid with basic-authentication successfully. I am
      wondering if there's a way to exempt specific sites from authentication.
      Access to our public websites, or google.com should not require
      authentication in our scenario.

      Any ideas?

      Cheers,
      zab



      ------------------------------------

      For unsubscribing, mailing list rules and posting guidelines please see:
      http://dansguardian.org/?page=mailinglistYahoo! Groups Links
    • zab_crypto
      Hi John! Yes, i use squid (listening on TCP 3128), DG (listening on TCP 8080), clam and bind9 (see ver. below if required). The basic authentication scheme is
      Message 2 of 7 , Apr 17 2:07 AM
      View Source
      • 0 Attachment
        Hi John!
        Yes, i use squid (listening on TCP 3128), DG (listening on TCP 8080), clam and bind9 (see ver. below if required). The basic authentication scheme is configured in squid and DG and it's working fine.

        However, i exempted some sites from authentication in squid's ACL, to enable the users to browse these sites without the need to authenticate (example):

        acl google_website dstdomain .google.com
        acl my_websites dstdomain "/etc/squid3/my_websites.conf"
        acl my_network src 192.168.1.0/24
        acl authenticated proxy_auth REQUIRED src my_network

        http_access allow my_network google_website
        http_access allow my_network my_websites
        http_access allow authenticated
        http_access deny all

        I expected that if squid doesn't ask for auth neither DG would, but that's not the case.

        If i configure my browser to use proxy: proxysrv:3128, then i can browse the google_website and my_websites without authentication. As soon as i open for example www.amazon.com i am asked for authentication. If i authenticate www.amazon.com is loaded.

        If i point my browser's proxy-configuration to proxy:8080, then i am asked for authentication for every website (always). If i authenticate the requested website loads.

        Basically, i am looking for a way to tell DG not to use the authplugin proxy-basic.conf for specific websites. Since i'm new to DG i don't know how to accomplish this. And i couldn't find any documentation or examples on this specific subject.

        cheers,
        zab

        root@proxysrv:/etc/squid3# dpkg -l | egrep '(bind9|clamav|dans|squid)' | tr -s " "
        ii bind9 1:9.8.1.dfsg.P1-2 Internet Domain Name Server
        ii bind9-doc 1:9.8.1.dfsg.P1-2 Documentation for BIND
        ii bind9-host 1:9.8.1.dfsg.P1-2 Version of 'host' bundled with BIND 9.X
        ii bind9utils 1:9.8.1.dfsg.P1-2 Utilities for BIND
        ii clamav 0.97.3+dfsg-2.1ubuntu1 anti-virus utility for Unix - command-line interface
        ii clamav-base 0.97.3+dfsg-2.1ubuntu1 anti-virus utility for Unix - base package
        ii clamav-daemon 0.97.3+dfsg-2.1ubuntu1 anti-virus utility for Unix - scanner daemon
        ii clamav-docs 0.97.3+dfsg-2.1ubuntu1 anti-virus utility for Unix - documentation
        ii clamav-freshclam 0.97.3+dfsg-2.1ubuntu1 anti-virus utility for Unix - virus database update utility
        ii dansguardian 2.10.1.1-4 Web content filtering
        ii libbind9-80 1:9.8.1.dfsg.P1-2 BIND9 Shared Library used by BIND
        ii libclamav6 0.97.3+dfsg-2.1ubuntu1 anti-virus utility for Unix - library
        ii libdansguardian-perl 0.6-2 Simple module for administer dansguardian's control files
        ii squid-langpack 20111114-1 Localized error pages for Squid
        ii squid3 3.1.19-1ubuntu1 Full featured Web Proxy cache (HTTP proxy)
        ii squid3-common 3.1.19-1ubuntu1 Full featured Web Proxy cache (HTTP proxy) - common files
        ii squidview 0.79-1build1 monitors and analyses squid access.log files


        --- In dansguardian@yahoogroups.com, "John D. Spinuzzi" <jd@...> wrote:
        >
        > Are you using Squid for your proxy?
        >
        > -----Original Message-----
        > From: dansguardian@yahoogroups.com [mailto:dansguardian@yahoogroups.com] On
        > Behalf Of zab_crypto
        > Sent: Monday, April 16, 2012 8:18 AM
        > To: dansguardian@yahoogroups.com
        > Subject: [dansguardian] How to exempt specific sites from
        > Basic-Authentication
        >
        > Hi all,
        > i just setup dans+squid with basic-authentication successfully. I am
        > wondering if there's a way to exempt specific sites from authentication.
        > Access to our public websites, or google.com should not require
        > authentication in our scenario.
        >
        > Any ideas?
        >
        > Cheers,
        > zab
        >
        >
        >
        > ------------------------------------
        >
        > For unsubscribing, mailing list rules and posting guidelines please see:
        > http://dansguardian.org/?page=mailinglistYahoo! Groups Links
        >
      • Scott Mayo
        ... What happens if you just leave: http_access allow google_website Does it still ask for authentication? I am no squid expert and it has been a while since
        Message 3 of 7 , Apr 17 6:13 AM
        View Source
        • 0 Attachment
          On Tue, Apr 17, 2012 at 4:07 AM, zab_crypto <zab.crypto@...>wrote:

          > **
          >
          >
          > Hi John!
          > Yes, i use squid (listening on TCP 3128), DG (listening on TCP 8080), clam
          > and bind9 (see ver. below if required). The basic authentication scheme is
          > configured in squid and DG and it's working fine.
          >
          > However, i exempted some sites from authentication in squid's ACL, to
          > enable the users to browse these sites without the need to authenticate
          > (example):
          >
          > acl google_website dstdomain .google.com
          > acl my_websites dstdomain "/etc/squid3/my_websites.conf"
          > acl my_network src 192.168.1.0/24
          > acl authenticated proxy_auth REQUIRED src my_network
          >
          > http_access allow my_network google_website
          > http_access allow my_network my_websites
          >

          What happens if you just leave:

          http_access allow google_website

          Does it still ask for authentication? I am no squid expert and it has been
          a while since I edited my conf, but I believe the:

          http_access allow my_network google_website

          is an ~AND~ so both must match, which I would think would work since one is
          your source, but I am not sure. Just curious if it it works by leaving off
          the ~my_network~ part.

          --
          Scott


          [Non-text portions of this message have been removed]
        • Scott Mayo
          ... BTW, I just looked at my conf because I do the exact same thing that you are talking about here. I am not sure since it has been so long since I have set
          Message 4 of 7 , Apr 17 6:30 AM
          View Source
          • 0 Attachment
            On Tue, Apr 17, 2012 at 8:13 AM, Scott Mayo <scotgmayo@...> wrote:
            >
            >
            > On Tue, Apr 17, 2012 at 4:07 AM, zab_crypto <zab.crypto@...>
            > wrote:
            >>
            >>
            >>
            >> Hi John!
            >> Yes, i use squid (listening on TCP 3128), DG (listening on TCP 8080), clam
            >> and bind9 (see ver. below if required). The basic authentication scheme is
            >> configured in squid and DG and it's working fine.
            >>
            >> However, i exempted some sites from authentication in squid's ACL, to
            >> enable the users to browse these sites without the need to authenticate
            >> (example):
            >>
            >> acl google_website dstdomain .google.com
            >> acl my_websites dstdomain "/etc/squid3/my_websites.conf"
            >> acl my_network src 192.168.1.0/24
            >> acl authenticated proxy_auth REQUIRED src my_network
            >>
            >> http_access allow my_network google_website
            >> http_access allow my_network my_websites
            >
            >
            > What happens if you just leave:
            >
            > http_access allow google_website
            >
            > Does it still ask for authentication?  I am no squid expert and it has been
            > a while since I edited my conf, but I believe the:
            >
            > http_access allow my_network google_website
            >
            > is an ~AND~ so both must match, which I would think would work since one is
            > your source, but I am not sure.  Just curious if it it works by leaving off
            > the ~my_network~ part.

            BTW, I just looked at my conf because I do the exact same thing that
            you are talking about here. I am not sure since it has been so long
            since I have set up DG/Squid, but here is how I have it compared to
            yours.

            acl authenticated proxy_auth REQUIRED src my_network
            http_access allow my_network my_websites

            I only have something like:

            acl authenticated proxy_auth REQUIRED
            http_access allow my_websites

            I am wondering since you have 'acl my_network src 192.168.1.0/24' and
            then 'acl authenticated proxy_auth REQUIRED src my_network' , when you
            have a line that starts with 'http_access allow my_network...' if it
            is saying that the source must be 192.168.1.0 and also it must be
            authenticated?

            Also, if you are not proxying google then I would think all your
            searches would show anything. I know you still cannot go to the site,
            but if you go to images or videos, you would get the small screenie,
            which may be fine in your case. I still authenticate for google, but
            put it on the greylist.


            --
            Scott
          • sichent
            ... Hello zab_crypto, What do you use in DG that is not present in Squid to completely exclude DG from the equation? sich
            Message 5 of 7 , Apr 17 3:29 PM
            View Source
            • 0 Attachment
              On 4/17/2012 11:07 AM, zab_crypto wrote:
              > <skip..>
              >
              > http_access allow my_network google_website
              > http_access allow my_network my_websites
              > http_access allow authenticated
              > http_access deny all
              >
              > I expected that if squid doesn't ask for auth neither DG would, but that's not the case.
              >
              > If i configure my browser to use proxy: proxysrv:3128, then i can browse the google_website and my_websites without authentication. As soon as i open for example www.amazon.com i am asked for authentication. If i authenticate www.amazon.com is loaded.
              >
              > If i point my browser's proxy-configuration to proxy:8080, then i am asked for authentication for every website (always). If i authenticate the requested website loads.
              >
              > Basically, i am looking for a way to tell DG not to use the authplugin proxy-basic.conf for specific websites. Since i'm new to DG i don't know how to accomplish this. And i couldn't find any documentation or examples on this specific subject.
              >


              Hello zab_crypto,

              What do you use in DG that is not present in Squid to completely exclude
              DG from the equation?

              sich
            • zab_crypto
              Thanks, for helping!!! I found the reason for the problem, today. The problem was XFF related. Somehow, i managed to have XFF working in squid without using
              Message 6 of 7 , Apr 18 4:10 AM
              View Source
              • 0 Attachment
                Thanks, for helping!!!

                I found the reason for the problem, today.

                The problem was XFF related. Somehow, i managed to have XFF working in squid without using the "follow_x_forwarded_for"-option in squid. DG was properly configured for XFF, all the time.

                Today, i noticed that nonauthenticated clients still appear with src IP 127.0.0.1 in squid's access.log, while authenticated clients appear with their real IP address.

                Thatfore my squid ACL's couldn't match. However, i fixed that by adding these two lines and changing some ACLs:

                acl dansguardian src 127.0.0.1/32
                follow_x_forwarded_for allow dansguardian

                -----------

                The working squid ACL configuration looks like this, now:

                acl_uses_indirect_client on # XFF related
                delay_pool_uses_indirect_client on # XFF related
                log_uses_indirect_client on # XFF related

                acl dansguardian src 127.0.0.1/32 # XFF related
                follow_x_forwarded_for allow dansguardian # XFF related

                acl cache_manager proto cache_object # cachemgr related
                acl localhost src 127.0.0.1/32
                acl nonauth_hosts src "/etc/squid3/nonauth_hosts" # define clients w/o authentication
                acl our_networks src "/etc/squid3/our_networks" # define client-networks
                acl nonauth_sites dstdomain "/etc/squid3/nonauth_sites" # define sites w/o authentication
                acl authenticated proxy_auth REQUIRED src "/etc/squid3/our_networks"

                acl SSL_ports port 443
                acl Safe_ports port 80 # http
                acl Safe_ports port 21 # ftp
                acl Safe_ports port 443 # https
                acl Safe_ports port 8443 # https
                acl Safe_ports port 70 # gopher
                acl Safe_ports port 210 # wais
                acl Safe_ports port 1025-65535 # unregistered ports
                acl Safe_ports port 280 # http-mgmt
                acl Safe_ports port 488 # gss-http
                acl Safe_ports port 591 # filemaker
                acl Safe_ports port 777 # multiling http
                acl CONNECT method CONNECT

                http_access allow nonauth_hosts # clients w/o authentication (not using DG)
                http_access allow our_networks nonauth_sites # sites w/o authentication (not using DG)
                http_access allow authenticated # authenticated clients (with DG)
                http_access deny cache_manager !localhost # deny nonlocal cachemgr-access
                http_access deny !Safe_ports # deny non Safe_ports
                http_access deny CONNECT !SSL_ports
                http_access deny all # deny everything else

                -----------

                cheers,
                zab

                --- In dansguardian@yahoogroups.com, sichent <sichent@...> wrote:
                >
                > On 4/17/2012 11:07 AM, zab_crypto wrote:
                > > <skip..>
                > >
                > > http_access allow my_network google_website
                > > http_access allow my_network my_websites
                > > http_access allow authenticated
                > > http_access deny all
                > >
                > > I expected that if squid doesn't ask for auth neither DG would, but that's not the case.
                > >
                > > If i configure my browser to use proxy: proxysrv:3128, then i can browse the google_website and my_websites without authentication. As soon as i open for example www.amazon.com i am asked for authentication. If i authenticate www.amazon.com is loaded.
                > >
                > > If i point my browser's proxy-configuration to proxy:8080, then i am asked for authentication for every website (always). If i authenticate the requested website loads.
                > >
                > > Basically, i am looking for a way to tell DG not to use the authplugin proxy-basic.conf for specific websites. Since i'm new to DG i don't know how to accomplish this. And i couldn't find any documentation or examples on this specific subject.
                > >
                >
                >
                > Hello zab_crypto,
                >
                > What do you use in DG that is not present in Squid to completely exclude
                > DG from the equation?
                >
                > sich
                >
              Your message has been successfully submitted and would be delivered to recipients shortly.