Yeah, we have a few. I'll try to detail them below, I apologize for any formatting weirdness.
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -k /etc/squid/HTTP.keytab -s HTTP/arcgate2.ad.arc-tech....@ad.arc-tech.com auth_param negotiate children 10 auth_param negotiate keep_alive on auth_param basic credentialsttl 2 hours auth_param basic realm ArcTech Proxy Server acl localhost src 10.46.11.69 acl localhost src 127.0.0.0/8 acl localnet dst 10.0.0.0/8 acl localnet dst 172.0.0.0/8 acl localnet dst bldg3.arc-tech.com. acl localnet dst bldg5.arc-tech.com. acl SSL_ports port 443 acl SSL_ports port 5001 acl SSL_ports port 4434 acl SSL_ports port 9251 acl Safe_ports port 21 acl Safe_ports port 22 acl Safe_ports port 80 acl Safe_ports port 443 acl Safe_ports port 8080 acl Safe_ports port 8443 acl Safe_ports port 1025-65535 acl kerb-auth proxy_auth REQUIRED acl CONNECT method CONNECT acl local_dst_dom dstdomain arcgate2 http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow local_dst_dom http_access allow localnet acl bad_domains_preauth dstdomain "/etc/squid/bad_domains_preauth" http_access deny bad_domains_preauth #acl block_user proxy_auth_regex -i "/etc/squid/block_user" #http_access deny block_user acl bad_exception_urls url_regex -i "/etc/squid/bad_exception_urls" http_access allow !bad_exception_urls acl exec_files url_regex -i "/etc/squid/exec_files" #acl exec_users proxy_auth_regex -i "/etc/squid/exec_users" http_access deny !bad_exception_urls exec_files deny_info ERR_BLOCK_TYPE exec_files #acl mmedia_users proxy_auth_regex -i "/etc/squid/mmedia_users" acl mmedia_sites dstdomain "/etc/squid/mmedia_sites" http_access allow CONNECT safe_ports SSL_ports mmedia_sites acl bad_domains dstdomain "/etc/squid/bad_domains" http_access deny !bad_exception_urls bad_domains deny_info ERR_BLOCK_DST bad_domains acl bad_domains_regex dstdom_regex -i "/etc/squid/bad_domains_regex" http_access deny !bad_exception_urls bad_domains_regex deny_info ERR_BLOCK_DST bad_domains_regex acl bad_urls url_regex -i "/etc/squid/bad_urls" http_access deny !bad_exception_urls bad_urls deny_info ERR_BLOCK_DST bad_urls acl bad_files urlpath_regex -i "/etc/squid/bad_files" http_access deny !bad_exception_urls bad_files deny_info ERR_BLOCK_TYPE bad_files http_access allow Safe_ports http_access allow SSL_ports http_access deny !kerb-auth http_access allow kerb-auth http_access deny all -----Original Message----- From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf Of Matus UHLAR - fantomas Sent: Tuesday, November 12, 2024 10:30 AM To: squid-users@lists.squid-cache.org Subject: Re: [squid-users] Access Log Question Caution: This email originated from outside of Hexcel. Do not click links or open attachments unless you recognize the sender and know the content is safe. On 12.11.24 15:22, Piana, Josh wrote: >I seem to be able to generate tickets by checking klist, and using kinit to >authenticate my username with AD. But it looks like the proxy is ignoring it. >This could explain why all my proxy_auth ACL's stopped working too. > > >Here's my authentication settings: >auth_param negotiate children 10 >auth_param negotiate keep_alive on >auth_param basic credentialsttl 2 hours auth_param basic realm ><redacted> Proxy Server > >acl kerb-auth proxy_auth REQUIRED > >The bottom of my ACL Rules looks like this: >http_access deny !kerb-auth >http_access allow kerb-auth >http_access deny all The bottom? Are there any ACL rules that allow clients' access before this? Because ACL rules are processed in the order they are specified. >-----Original Message----- >From: squid-users <squid-users-boun...@lists.squid-cache.org> On Behalf >Of Matus UHLAR - fantomas >Sent: Tuesday, November 12, 2024 10:19 AM >To: squid-users@lists.squid-cache.org >Subject: Re: [squid-users] Access Log Question > >Caution: This email originated from outside of Hexcel. Do not click links or >open attachments unless you recognize the sender and know the content is safe. > > >On 12.11.24 15:16, Piana, Josh wrote: >>Seems like it. >> >>Example: >> >>12/Nov/2024:09:51:37 -0500.396 10.46.49.135 TCP_TUNNEL/200 23735 >>CONNECT >>http://www.s/ >>a%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7C781d9733572443bebebd08dd >>032ef2d6%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C6386702223804901 >>51%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCI >>sIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=J >>D5bPnmHAzYiBf0GEibkaOIItE5n7G5wQaTzYent9K4%3D&reserved=0 >>fgard.com%3A443%2F&data=05%7C02%7Cjosh.piana%40hexcel.com%7C1dd5a668cf >>f >>64041506f08dd032d47f6%7C4248050df19546d5ac9c0c7c52b04cae%7C0%7C0%7C638 >>6 >>70215221064884%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiI >>w >>LjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C >>% >>7C&sdata=gmzUs90%2Bccg4xxW8WHB2R4Tyb66r1tfKPdsQL2mHmUE%3D&reserved=0 - >>\ HIER_DIRECT/206.188.0.52 - -/- > >yes, this looks like the username is not known to squid, thus probably >bypassed authentication. >what type of proxy authentication you use? > >>-----Original Message----- >>From: squid-users <squid-users-boun...@lists.squid-cache.org> On >>Behalf Of Matus UHLAR - fantomas >>Sent: Tuesday, November 12, 2024 10:10 AM >>To: squid-users@lists.squid-cache.org >>Subject: Re: [squid-users] Access Log Question >> >>Caution: This email originated from outside of Hexcel. Do not click links or >>open attachments unless you recognize the sender and know the content is safe. >> >> >>On 12.11.24 14:56, Piana, Josh wrote: >>> At some point, the access log has stopped recording which users are >>> trying to access which sites. >>> >>> I'm currently thinking is could be an issue with log format, Squid >>> not being able to receive the header information, or authentication >>> is being bypassed completely due to our config, for some reason. >> >>what is it logging? doest is log "-" instead of usernames? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar] _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
