RE: [squid-users] SSL sites bypass authentication

From: Vishal Agarwal <vishal_at_norpknit.com>
Date: Tue, 20 Mar 2012 10:26:40 +0600

Hi,

You require to deny the db_auto just after the allow statement (See below ). I hope that will work.

Thanks/regards,
Vishal Agarwal

-----Original Message-----
From: Milen Pankov [mailto:mail_at_milen.pankov.eu]
Sent: Monday, March 19, 2012 5:34 AM
To: squid-users_at_squid-cache.org
Subject: [squid-users] SSL sites bypass authentication

Hi,

I have been using squid with basic authentication from quite some time
without problems while recently I discovered that anyone can open https
addresses trough the proxy without authenticating. If someone refuses
the authentication dialog (clicks on Cancel) and receives a squid access
denied error page after that he can type an https address in the address
bar and it will open fine. I can't seem to find something wrong with the
configuration and I can't seem to find any info on this behavior
anywhere. Would appreciate if someone helps. I am using squid 3.1.6.
Here is the relevant part of the configuration:

auth_param basic program /usr/lib/squid3/squid_db_auth --dsn
"DBI:mysql:host=myhostname:database=mydatabase" --user "myuser"
--password "mypassword" --table "myusers" --usercol "myusername"
--passwdcol "mypassword" --cond "cond1=0 and cond2=1" --md5 --persist
auth_param basic children 5
auth_param basic realm HTTP Proxy
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive on
acl db_auth proxy_auth REQUIRED
authenticate_ip_ttl 10 minutes
acl only_one_conn max_user_ip -s 1
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access deny only_one_conn
http_access allow db_auth
http_access deny db_auth # Insert this line

http_access deny all

Thanks,
Milen
Received on Tue Mar 20 2012 - 04:26:44 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 20 2012 - 12:00:04 MDT