I am new to Squid proxy and need help in setting up NTLM authentication.
I checked so many resources on the web but did not find exact steps to get my work done
Since I have no background on proxy/networking configurations, I am not able to figure out where I am missing. I need this for some testing purpose.
Scenario:
I have, two machines
Machine 1:
Windows Server 2012R2 on which Squid proxy server 2.6 is deployed. This machine has Active directory domain configured (domain1.com).
domain1.com has user-1 and user-2 users.
Machine 2: Is a part of domain1.com. Machine 1 acts as a proxy for Machine 2 (Manual proxy set on Machine2s Internet explorer).
Windows Integrated Authentication is turned ON in Internet Explorer menu.
I am trying to access google.com from Machine 2, IE prompts for authentication. I am providing user-1 credentials here. However, the request is not getting succeeded. Authentication prompt is appearing again and again.
Squid.conf
auth_param ntlm program C:/squid/libexec/mswin_ntlm_auth.exe --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive on
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl KnownUsers proxy_auth REQUIRED
http_access allow KnownUsers
http_access allow manager localhost
http_access allow manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
access.log:
1528144397.050 24 XX.XX.XXX.XXX TCP_DENIED/407 2151 CONNECT www.google.co.in:443 - NONE/- text/html
1528144397.056 5 XX.XX.XXX.XXX TCP_DENIED/407 1817 CONNECT www.google.co.in:443 - NONE/- text/html
Can someone please let me know what I am missing?
Related
I’m trying to host an apache webserver on a phone with termux, and the final goal is to make this server mobile by using 4G.To achieve this I thought it was possible to use a reverse SSH connection (to set a connection from the phone, wherever he is on internet) to a proxy in my home. The DNS of my website will redirect to this (reverse) proxy, which will redirect to my phone webserver, by using the reverse SSH connection.
For now, the phone server is on the same wifi network as the proxy, not in 4G.
So this phone connects to a computer which acts as a proxy, by connecting with reverse SSH on port 8082. From this computer, when I search http://localhost:8082 on internet on the computer, it works, I have access to the website.
However I can’t access the website from another device on the local network or from internet (I tried http://IPproxyComputer:8082 and I tried from a device on internet http://MyPublicIP with a port redirection from 80 to IPproxyComputer :8082 on my router). I don’t have any firewall on.
Here is a diagram to clarify
I didn’t find anyone trying to host a webserver with this config but someone explain how to give access to a device with reverse SSH and a squid proxy here.
So I thought this is what I must do, but with a different configuration for Squid because in my case, the request comes from someone on internet or local network to the webserver, so Squid must listen on a port, let say 8081 and redirect to 8082 where the SSH connection is, but I failed to set this up.
I need help to undersand two things:
-Why is the page accessible from the proxy with http://localhost:8082, but not from a device on the local network with http://IpproxyComputer:8082 ? Is it because of an authorization (and is it possible to change it?). Or is it just impossible to do this kind of connection ?
Is it a solution to use squid ? How to set this up ?
Here is the reverse SSH command I used from the phone webserver :
ssh -R 8080:localhost:8081 UsrProxyComputer#IPproxyComputer
Here is the config I tried for squid (it is the first time I use it and I am really a beginner in networks)
Define the listening port and default site
# Declare that virtual hosts will be used for allowing the reverse proxy
http_port 8081 accel vhost
# First we will configure the servers in our system
cache_peer 127.0.0.1 parent 8082 0 proxy-only name=InterRedir
# Create an additional ACL for local network access
acl localip src 192.168.0.0/24
http_access allow localip
cache_peer_access InterRedir allow localip
# Next we will map domains to the specific systems
# 1) This is done by creating an ACL for the domain
# 2) Then granting http access to it to allow the connection
# to get through.
# 3) Then mapping an acl to the specific server
# MyWebSite.com
acl MyWebSite_acl dstdomain MyWebSite.Com
http_access allow MyWebSite_acl
cache_peer_access InterRedir allow MyWebSite_acl
# Additional ACL definitions
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl purge method PURGE
acl CONNECT method CONNECT
# Restrictions
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny all
# Disable caching
cache deny all
Why do some HTTPS / TLS (might be TLS 1.3 only?) connections take so long to show up in Squid Proxy's access.log?
Running Squid Proxy 4.15 on Rocky Linux (have tried other Linux variants with earlier Squid versions). First thought certain sites were not going through the configured proxy (Firefox HTTP / HTTPS proxy settings), but then observed that the response time was in minutes and learned that Squid only writes to the access log once the request completes. Here's a sample:
07/Sep/2022:15:12:56 dns_time=- url="www.virustotal.com:443" duration_ms=173168 bytes=644252 mime=- src=##.##.##.##:50251 dest=74.125.34.46:443 http_method=CONNECT status=200 http_user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0" squid_req_hier=TCP_TUNNEL:HIER_DIRECT
The browser experience when visiting this site is normal and when observing network connectivity via Firefox debug, there are no in-process network calls that correlate to the 2.8m response time logged by Squid within access.log. When troubleshooting or trying to get an understanding of proxy traffic via access.log entries, this delay makes it quite difficult to derive patterns or test proper connectivity without waiting long periods of time. I've combed through http://www.squid-cache.org/Doc/config/logformat/ and other config items under http://www.squid-cache.org/Doc/config/ and cannot identify anything to log this entry more quickly or figure what is taking so long.
Here is my Squid configuration:
acl SSL_ports port 443
acl Safe_ports port 443
acl CONNECT method CONNECT
http_access allow !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow all
http_access deny all
http_port 3128
tls_outgoing_options min-version=1.2
logformat splunk_fun %tg dns_time=%dt url="%ru" duration_ms=%tr bytes=%st mime=%mt src=%>a:%>p dest=%<a:%<p http_method=%rm status=%>Hs http_user_agent="%{User-Agent}>h" squid_req_hier=%Ss:%Sh
access_log daemon:/var/log/squid/access.log splunk_fun
Any insight into lengthy HTTPS / TLS response times (not impacting end-user browser performance) would be greatly appreciated.
I am trying to restrict access to certain sites to different user id(s) per site.
An illustration of this would be: site1 may only be accessed from a given source IP and with a specific set of credentials, while site2 will be permitted to be accessed from a different source IP and with a different set of credentials than site1.
Here is what I tried first, but squid complains of Bungled configuration.
# misc
http_port 3128
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwd
auth_param basic realm proxy
# Site 1 can only be accessed by user_site1
acl site1 proxy_auth user_site1
acl site1 src 192.168.100.21
acl site1 dst site1
http_access allow site1
# Site 2 can only be accessed by user_site2
acl site2 proxy_auth user_site2
acl site1 src 192.168.100.22
acl site2 dst site2
http_access allow google_auth site2
# All other sites will be denied
http_access deny all
Is it possible to configure squid to somehow group proxy_auth to a particular acl name? How to restrict certain user ids to certain destination sites?
Thank you for all the help
I am trying to do the npm installation with squid transparent proxy on a client. My squid server is 172.21.243.84:3128. Both the client and server use centos 7.
On the client, I set the proxy using:
export https_proxy='https://172.21.243.84:3128'
export http_proxy='http://172.21.243.84:3128'
then I run "npm install npm",
I got error like:
npm ERR! code EPROTO
npm ERR! errno EPROTO
npm ERR! request to https://registry.npm.taobao.org/npm failed, reason: write EPROTO 139980905441152:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332:
npm ERR!
npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2020-04-20T10_46_23_058Z-debug.log
Then I checked the squid log,got a lot of "400" info below:
1587379583.046 0 172.21.29.52 TAG_NONE/400 4112 c %AD;%B2O%19%8C%F7%87%DDW%A7F%06%AAB0H%1E%98 - HIER_NONE/- text/html
1587379728.415 0 172.21.29.52 TAG_NONE/400 4495 NONE error:invalid-request - HIER_NONE/- text/html
........
But if I use "npm install npm --proxy http://172.21.243.84:3128", it works perfectly.
My squid configuration is:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
#http_access allow localhost
acl allowed_http_sites dstdomain "/etc/squid/squid.allowed.sites.txt"
http_access allow allowed_http_sites
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128 ssl-bump cert=/etc/squid/cert.pem
acl allowed_https_sites ssl::server_name "/etc/squid/squid.allowed.sites.txt"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Anyone has idea about how to fix my squid to make it work for npm installation without using "--proxy"?
Thank you
I'm trying to prevent firefox from constantly asking for a new authentication when a new tab is opened.
Moreover in the configuration of firefox it is necessary to specify the page without proxy, but it still asks for an authentication.
The squid server is under centos 7 and the PC client use firefox version 52.7.2
can anyone help me?
Is something wrong with my squid.conf configuration file here :
-----------------------squid.conf----------------------------------------
debug_options ALL,1
http_port 3128
logfile_rotate 30
maximum_object_size 32 MB
icp_port 0
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_store_log none
access_log /var/log/squid/access.log squid
visible_hostname my_server.domain.com
acl domain1 dstdomain .domain1.com
http_access allow domain1
acl domain2 dstdomain .domain2.com
http_access allow domain2
auth_param basic program /usr/lib64/squid/basic_ldap_auth -b "ou=People,dc=mycompany,dc=com" -f "uid=%s" -u uid -D "uid=xxx,ou=xxx,dc=mycompany,dc=com" -w "password" -h ldap://myldap.com
auth_param basic children 350
auth_param basic realm Web-Proxy
auth_param basic credentialsttl 2 hours
acl if_ok src "/etc/squid/conf/default/ipadress"
acl BlockedHost_mdl src "/etc/squid/mdl.txt"
http_access deny BlockedHost_mdl
acl BlockedHost_bruteforceblocker src "/etc/squid/bruteforceblocker.txt"
http_access deny BlockedHost_bruteforceblocker
acl BlockedHost_shdrop src "/etc/squid/shdrop.txt"
http_access deny BlockedHost_shdrop
acl internet proxy_auth REQUIRED
acl internet_domains dstdomain -i "/etc/squid/conf/internet/domains"
http_access allow internet
http_access allow if_ok
http_access allow localhost
http_access deny all