neok
2018-10-01 19:53:42 UTC
Hello everyone!
I'm a bit lost with the behavior of Google Chrome 69.0 for Win 64 and my
squid rules 3.5.20.
Until a few days ago when browsing denied sites Chrome threw the error
"ERR_TUNNEL_CONNECTION_FAILED" which was fine for me.
Firefox 62 threw the error "The proxy server is refusing connections" which
was also fine for me.
Now Chrome shows me the login window every time I visit a denied site.
I suspect Chrome has been updated and changed its behavior. I'm currently
studying that possibility.
I'm also rethinking whether the way I'm denying sites is the right one.
I leave my settings so that someone with more experience can give me some
feedback.
I am very grateful for any indication.
Best regards,
Gabriel.
squid.conf
### Negotiate/NTLM and Negotiate/Kerberos authentication
auth_param negotiate program /usr/sbin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos
/usr/lib64/squid/negotiate_kerberos_auth -r -i -s GSS_C_NO_NAME
auth_param negotiate children 200
auth_param negotiate keep_alive on
### standard allowed ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
### destination domains to be blocked in a HTTP access control policy
acl LS_adult dstdomain -i "/etc/squid/DBL/adult.txt"
acl LS_anonvpn dstdomain -i "/etc/squid/DBL/anonvpn.txt"
acl LS_hacking dstdomain -i "/etc/squid/DBL/hacking.txt"
acl LS_malicius dstdomain -i "/etc/squid/DBL/malicius.txt"
acl LS_remotecontrol dstdomain -i "/etc/squid/DBL/remotecontrol.txt"
acl LS_warez dstdomain -i "/etc/squid/DBL/warez.txt"
acl LS_youtube dstdomain -i "/etc/squid/DBL/youtube.txt"
### acl for proxy authentication (kerberos or ntlm)
acl auth proxy_auth REQUIRED
### LDAP group membership sources ###
external_acl_type AD_WEB_ACCESS %LOGIN /usr/lib64/squid/ext_ldap_group_acl
-P -R -b "OU=NETGOL,DC=netgol,DC=local" -D ldap -W
"/etc/squid/ldap_pass.txt" -f
"(&(sAMAccountname=%u)(memberof=cn=%g,OU=INTERNET,OU=PERMISOS,OU=NETGOL,DC=netgol,DC=local))"
-h s-dc1.netgol.local
acl WEB_ACCESS_1 external AD_WEB_ACCESS WEB_ACCESS_1
acl WEB_ACCESS_2 external AD_WEB_ACCESS WEB_ACCESS_2
acl WEB_ACCESS_3 external AD_WEB_ACCESS WEB_ACCESS_3
acl WEB_ACCESS_YT_ONLY external AD_WEB_ACCESS WEB_ACCESS_YT_ONLY
### HTTP access control policies
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny !auth
http_access allow localhost
http_access deny LS_malicius # malicius sites denied for all
http_access allow WEB_ACCESS_1 # WEB_ACCESS_1 member users can browse
without restrictions
http_access deny WEB_ACCESS_2 LS_remotecontrol # WEB_ACCESS_2 member users
can't browse Remote Control sites
http_access deny WEB_ACCESS_2 LS_warez # WEB_ACCESS_2 member users can't
browse Warez sites
http_access allow WEB_ACCESS_2 # WEB_ACCESS_2 member users can browse the
rest of the sites not bloqued
http_access deny WEB_ACCESS_3 LS_adult # WEB_ACCESS_3 member users can't
browse Adult sites
http_access deny WEB_ACCESS_3 LS_anonvpn # WEB_ACCESS_3 member users can't
browse Anonymous VPN sites
http_access deny WEB_ACCESS_3 LS_hacking # WEB_ACCESS_3 member users can't
browse Hacking sites
http_access deny WEB_ACCESS_3 LS_remotecontrol # WEB_ACCESS_3 member users
can't browse Remote Control sites
http_access deny WEB_ACCESS_3 LS_warez # WEB_ACCESS_3 member users can't
browse Warez sites
http_access allow WEB_ACCESS_3 # WEB_ACCESS_3 member users can browse the
rest of the sites not bloqued
http_access allow WEB_ACCESS_YT_ONLY LS_youtube # WEB_ACCESS_YT_ONLY member
users can browse YouTube
http_access deny WEB_ACCESS_YT_ONLY # WEB_ACCESS_YT_ONLY member
users can't browse the rest of sites
http_access deny all
### PERSONALIZATION ###
http_port 8080
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
read_timeout 5 minutes
request_timeout 3 minutes
shutdown_lifetime 15 seconds
ipcache_size 2048
fqdncache_size 4096
forwarded_for off
httpd_suppress_version_string on
Mi lab scenario:
- A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC.
- My VM is attached to my domain W2012R2 (following this post
https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/)
to achieve kerberos authentication transparent to the user. SElinux
disabled. Owner permissions to user squid in all folders/files involved.
- squid 3.5.20
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
I'm a bit lost with the behavior of Google Chrome 69.0 for Win 64 and my
squid rules 3.5.20.
Until a few days ago when browsing denied sites Chrome threw the error
"ERR_TUNNEL_CONNECTION_FAILED" which was fine for me.
Firefox 62 threw the error "The proxy server is refusing connections" which
was also fine for me.
Now Chrome shows me the login window every time I visit a denied site.
I suspect Chrome has been updated and changed its behavior. I'm currently
studying that possibility.
I'm also rethinking whether the way I'm denying sites is the right one.
I leave my settings so that someone with more experience can give me some
feedback.
I am very grateful for any indication.
Best regards,
Gabriel.
squid.conf
### Negotiate/NTLM and Negotiate/Kerberos authentication
auth_param negotiate program /usr/sbin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos
/usr/lib64/squid/negotiate_kerberos_auth -r -i -s GSS_C_NO_NAME
auth_param negotiate children 200
auth_param negotiate keep_alive on
### standard allowed ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
### destination domains to be blocked in a HTTP access control policy
acl LS_adult dstdomain -i "/etc/squid/DBL/adult.txt"
acl LS_anonvpn dstdomain -i "/etc/squid/DBL/anonvpn.txt"
acl LS_hacking dstdomain -i "/etc/squid/DBL/hacking.txt"
acl LS_malicius dstdomain -i "/etc/squid/DBL/malicius.txt"
acl LS_remotecontrol dstdomain -i "/etc/squid/DBL/remotecontrol.txt"
acl LS_warez dstdomain -i "/etc/squid/DBL/warez.txt"
acl LS_youtube dstdomain -i "/etc/squid/DBL/youtube.txt"
### acl for proxy authentication (kerberos or ntlm)
acl auth proxy_auth REQUIRED
### LDAP group membership sources ###
external_acl_type AD_WEB_ACCESS %LOGIN /usr/lib64/squid/ext_ldap_group_acl
-P -R -b "OU=NETGOL,DC=netgol,DC=local" -D ldap -W
"/etc/squid/ldap_pass.txt" -f
"(&(sAMAccountname=%u)(memberof=cn=%g,OU=INTERNET,OU=PERMISOS,OU=NETGOL,DC=netgol,DC=local))"
-h s-dc1.netgol.local
acl WEB_ACCESS_1 external AD_WEB_ACCESS WEB_ACCESS_1
acl WEB_ACCESS_2 external AD_WEB_ACCESS WEB_ACCESS_2
acl WEB_ACCESS_3 external AD_WEB_ACCESS WEB_ACCESS_3
acl WEB_ACCESS_YT_ONLY external AD_WEB_ACCESS WEB_ACCESS_YT_ONLY
### HTTP access control policies
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny !auth
http_access allow localhost
http_access deny LS_malicius # malicius sites denied for all
http_access allow WEB_ACCESS_1 # WEB_ACCESS_1 member users can browse
without restrictions
http_access deny WEB_ACCESS_2 LS_remotecontrol # WEB_ACCESS_2 member users
can't browse Remote Control sites
http_access deny WEB_ACCESS_2 LS_warez # WEB_ACCESS_2 member users can't
browse Warez sites
http_access allow WEB_ACCESS_2 # WEB_ACCESS_2 member users can browse the
rest of the sites not bloqued
http_access deny WEB_ACCESS_3 LS_adult # WEB_ACCESS_3 member users can't
browse Adult sites
http_access deny WEB_ACCESS_3 LS_anonvpn # WEB_ACCESS_3 member users can't
browse Anonymous VPN sites
http_access deny WEB_ACCESS_3 LS_hacking # WEB_ACCESS_3 member users can't
browse Hacking sites
http_access deny WEB_ACCESS_3 LS_remotecontrol # WEB_ACCESS_3 member users
can't browse Remote Control sites
http_access deny WEB_ACCESS_3 LS_warez # WEB_ACCESS_3 member users can't
browse Warez sites
http_access allow WEB_ACCESS_3 # WEB_ACCESS_3 member users can browse the
rest of the sites not bloqued
http_access allow WEB_ACCESS_YT_ONLY LS_youtube # WEB_ACCESS_YT_ONLY member
users can browse YouTube
http_access deny WEB_ACCESS_YT_ONLY # WEB_ACCESS_YT_ONLY member
users can't browse the rest of sites
http_access deny all
### PERSONALIZATION ###
http_port 8080
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
read_timeout 5 minutes
request_timeout 3 minutes
shutdown_lifetime 15 seconds
ipcache_size 2048
fqdncache_size 4096
forwarded_for off
httpd_suppress_version_string on
Mi lab scenario:
- A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC.
- My VM is attached to my domain W2012R2 (following this post
https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/)
to achieve kerberos authentication transparent to the user. SElinux
disabled. Owner permissions to user squid in all folders/files involved.
- squid 3.5.20
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html