2

I've got squid setup using Kerberos authentication. I'm also using squidguard as an URL redirector to block out the usual nastiness of the web. There are some sites though that we allow certain users to, and others not. This all works well, assuming I'm not using any streaming.

From what i can determine from the squid logs and the wireshark traces I've done, when the initial request to stream is sent, everything is good, the authenticated username is sent with the request to squidguard. The problem is that on subsequent traffic the username is not sent to squidguard, causing it to be blocked based on default policy.

I've tried using the squid built-in allow/deny stuff, but its relatively clunky, and so far squidguard has been pretty easy and fast.

Here comes the question(s):

  • How do i get Squid to pass username on all requests? (something tells me this isn't the best way)
  • How do i get squidguard to see traffic is authenticated to a specific user even when a username isn't passed?
  • Is there any other way of accomplishing this?

A few details that may be of importance:

  • I'm using a list of users stored in a text file for squidguard to compare against.
  • I'm using full kerberos auth with Squid.
  • CentOS 6.0
  • Squid 3.1.4
  • Squidguard 1.3

Edit

For clarification I've added the following calamaris snippet to demonstrate what's happening:

wsXX.domain.local                       534   5.99      34M   3.04    1   69.93
  *.outsidedomain.com                   204  14.22       5M  20.66    0   92.14
 <error>                                137   0.00       0M   0.00    0  589.16

user2@DOMAIN.LOCAL@wsXX.domain.local    115   0.00       1M   0.00   70    0.16
 *.outsidedomain.com                     84   0.00       1M   0.00   73    0.17
 <error>                                 24   0.00       0M   0.00   21    0.00

* EDIT *

As I've ventured further down the rabbit hole, it appears that in particular its not authenticating against replies to HTTP requests. In fact, if i put in the statemenet

    http_reply_access deny !auth

It will not allow any https traffic, but will allow most http traffic. I'm completely stumped, it actually appears like its letting unauthenticated traffic through(will be testing that today)[Tested, and it will allow unauthenticated http traffic, but hot https], although I have the following lines in my squid.conf:

    http_access deny !auth
    http_access allow auth
    http_access deny all

* EDIT * I've fixed unauthenticated http, and httpsm everything appears to be working well, except for streaming sites still :(

for what it's worth i had to changed the following line in the config

   http_access deny !Safe_ports

to

   http_access deny !Safe_ports !auth
Steve Butler
  • 1,016
  • 9
  • 19
  • Looks like there are others trying to do this as well. I found the following link that indicates the same problem. http://squid-web-proxy-cache.1019090.n4.nabble.com/Proxy-Authorization-headers-td3990177.html – Steve Butler Nov 28 '11 at 19:54

1 Answers1

1

So, i figured this out. It turns out there were some other ACLs in my squid.conf that were allowing non-authenticated traffic through the proxy. Because those rules were being hit before the rules to deny non authenticated traffic, the traffic was being sent through un-authenticated.

I hope this serves as a good resource for anyone out there trying to do anything similar.

Steve Butler
  • 1,016
  • 9
  • 19