[squid-users] Squid 3.1.15 not enforcing browser proxy mode

From: Ron Starr <ronl1213_at_comcast.net>
Date: Fri, 4 Nov 2011 15:04:00 -0700

To all,

Maybe someone wiser than me can point out the error in our configuration.
Have googled for hours and searched the archives.

We have two configs we are testing. In both configs a requirement is that
the user be forced to use the Squid proxy by enabling proxy mode in the
browser (ie, FF, chrome,Opera latest versions). In the first config we are
using NTLM with fallback. This config works properly. If proxy mode in the
browser is set to point to Squid all works as expected—traffic passes
normally. When proxy mode is disabled, all works as expected, the user
receives a Squid denied page.

The problem is the second config. In this config we have a fairly minimal
config allowing localhost access. The issue is it does not matter how the
browser is set, traffic passes normally. Our expectation is if the browser
proxy mode is off the user should receive a squid denied page. Any help is
appreciated.

Good Configuration

auth_param ntlm program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50 startup=10 idle=10
auth_param ntlm keep_alive on
auth_param basic program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 50
auth_param basic realm squidproxy
auth_param basic credentialsttl 2 hours
acl AuthorizedUsers proxy_auth REQUIRED
max_filedesc 20000
cache_mem 300 MB
visible_hostname localhost
http_port 3128
maximum_object_size 500 MB
shutdown_lifetime 10 seconds
range_offset_limit 50 MB
maximum_object_size 500 MB
minimum_object_size 0 KB
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443 10000 20 21
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 20 # multiling http
acl Safe_ports port 10000 # multiling http
acl CONNECT method CONNECT
#Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
http_access allow all AuthorizedUsers
# And finally deny all other access to this proxy
http_access deny all
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
cache_dir ufs /var/spool/squid 1000 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

Bad Configuration—browser proxy mode is not enforced.

max_filedesc 20000
cache_mem 300 MB
visible_hostname localhost
maximum_object_size 4 GB
http_port 3128
shutdown_lifetime 10 seconds
range_offset_limit 50 MB
maximum_object_size 4 GB
minimum_object_size 0 KB
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
cache_dir ufs /var/spool/squid 15000 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20%

Thank you,

Ron Starr
Received on Fri Nov 04 2011 - 22:04:33 MDT

This archive was generated by hypermail 2.2.0 : Sat Nov 05 2011 - 12:00:03 MDT