LINUX.ORG.RU
ФорумAdmin

Squid. Везде ошибка 403

 


0

1

Всем привет.

Конфиг:

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -d -k /etc/squid/squid.keytab -s HTTP/squid.corp.domain.ru@CORP.DOMAIN.RU
auth_param negotiate children 100 startup=0 idle=10
auth_param negotiate keep_alive on
acl authenticated_user proxy_auth REQUIRED
http_access deny !authenticated_user

external_acl_type inet_buh ttl=300 negative_ttl=60 %LOGIN /usr/lib64/squid/ext_kerberos_ldap_group_acl -g Internet-buh@CORP.DOMAIN.RU

acl localnet src 172.16.100.0/24

acl buh external inet_buh
acl auth proxy_auth REQUIRED

acl SSL_ports port 443 9443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

acl white_list dstdomain "/etc/squid/whitelist.txt"
acl black_list dstdomain "/etc/squid/blocked_http.txt"
dns_nameservers 172.16.100.11


# access rule

http_access allow buh white_list
http_access deny buh all
http_access allow localhost

http_access deny all

http_port 3128

always_direct allow all
sslproxy_cert_error allow all


acl blocked ssl::server_name "/etc/squid/blocked_https.txt"
acl step1 at_step SslBump1
ssl_bump peek step1

ssl_bump terminate blocked
ssl_bump splice all

coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

cache_dir aufs /var/spool/squid 20000 49 256
maximum_object_size 61440 KB
minimum_object_size 3 KB

cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
logfile_rotate 4

Если добавляю юзера в AD в группу inet_buh, то в браузере

ОШИБКА
Запрошенный URL не может быть получен

В логах:

1654417319.278      0 172.16.100.101 TCP_DENIED/407 4578 GET http://ya.ru/ - HIER_NONE/- text/html
1654417319.344     42 172.16.100.101 TCP_DENIED/403 7156 GET http://ya.ru/ user01@CORP.DOMAIN.RU HIER_NONE/- text/html
1654417319.474      0 172.16.100.101 TCP_DENIED/403 4629 GET http://squid.corp.viang.ru:3128/squid-internal-static/icons/SN.png user01@CORP.DOMAIN.RU HIER_NONE/- text/html

Указываю в whitelist.txt домен ya.ru, о не помогает.

Если в squid.conf вместо http_access deny all указать http_access allow all, то везде пускает.

В чем может быть ошибка конфига?

nftables в Hyperbola
libbz2 in Fedora vs Debian

Логи после systemctl restart squid

Jun 05 18:29:07 squid.corp.domain.ru systemd[1]: Started Squid Web Proxy Server.
Jun 05 18:29:07 squid.corp.domain.ru squid[9886]: Squid Parent: (squid-1) process 9888 started
Jun 05 18:29:07 squid.corp.domain.ru (squid-1)[9888]: Warning: empty ACL: acl black_list dstdomain "/etc/squid/blocked_http.txt"
Jun 05 18:29:07 squid.corp.domain.ru (squid-1)[9888]: Warning: empty ACL: acl blocked ssl::server_name "/etc/squid/blocked_https.txt"
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Set Current Directory to /var/spool/squid
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Starting Squid Cache version 5.5 for x86_64-redhat-linux-gnu...
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Service Name: squid
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Process ID 9888
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Process Roles: worker
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: With 16384 file descriptors available
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Initializing IP Cache...
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: DNS Socket created at [::], FD 9
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: DNS Socket created at 0.0.0.0, FD 10
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Adding nameserver 172.16.100.11 from squid.conf
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: helperOpenServers: Starting 0/100 'negotiate_kerberos_auth' processes
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: helperStatefulOpenServers: No 'negotiate_kerberos_auth' processes needed.
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: helperOpenServers: Starting 0/5 'ext_kerberos_ldap_group_acl' processes
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: helperOpenServers: No 'ext_kerberos_ldap_group_acl' processes needed.
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: helperOpenServers: Starting 0/5 'ext_kerberos_ldap_group_acl' processes
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: helperOpenServers: No 'ext_kerberos_ldap_group_acl' processes needed.
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: helperOpenServers: Starting 0/5 'ext_kerberos_ldap_group_acl' processes
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: helperOpenServers: No 'ext_kerberos_ldap_group_acl' processes needed.
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Logfile: opening log daemon:/var/log/squid/access.log
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Logfile Daemon: opening log /var/log/squid/access.log
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Store logging disabled
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Swap maxSize 20480000 + 262144 KB, estimated 1595549 objects
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Target number of buckets: 79777
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Using 131072 Store buckets
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Max Mem  size: 262144 KB
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Max Swap size: 20480000 KB
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Rebuilding storage in /var/spool/squid (clean log)
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Using Least Load store dir selection
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Set Current Directory to /var/spool/squid
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Finished loading MIME types and icons.
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: HTCP Disabled.
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Squid plugin modules loaded: 0
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Adaptation support is off.
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Accepting HTTP Socket connections at conn3 local=[::]:3128 remote=[::] FD 15 flags=9
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Done reading /var/spool/squid swaplog (0 entries)
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Store rebuilding is 0.00% complete
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Finished rebuilding storage from disk.
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]:         0 Entries scanned
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]:         0 Invalid entries.
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]:         0 With invalid flags.
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]:         0 Objects loaded.
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]:         0 Objects expired.
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]:         0 Objects cancelled.
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]:         0 Duplicate URLs purged.
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]:         0 Swapfile clashes avoided.
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]:   Took 0.02 seconds (  0.00 objects/sec).
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]: Beginning Validation Procedure
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]:   Completed Validation Procedure
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]:   Validated 0 Entries
Jun 05 18:29:07 squid.corp.domain.ru squid[9888]:   store_swap_size = 0.00 KB
Jun 05 18:29:08 squid.corp.domain.ru squid[9888]: storeLateRelease: released 0 objects
yatakoi
() автор топика

Если в squid.conf вместо http_access deny all указать http_access allow all, то везде пускает.

А если бы сработала проверка по группе, то до этого правила вообще бы дело не дошло. Сработало бы одно из первых двух

http_access allow buh white_list
http_access deny buh all
router ★★★★★
()
Ответ на: комментарий от vel

Вот такая байда появилась. Не понятно, почему он ищет proxy.keytab, если у конфиге указан squid.keytab?

negotiate_kerberos_auth.cc(489): pid=10075 :2022/06/05 20:54:21| negotiate_kerberos_auth: INFO: Starting version 3.1.0sq
negotiate_kerberos_auth.cc(548): pid=10075 :2022/06/05 20:54:21| negotiate_kerberos_auth: INFO: Setting keytab to /etc/squid/squid.keytab
negotiate_kerberos_auth.cc(572): pid=10075 :2022/06/05 20:54:21| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_10075
negotiate_kerberos_auth.cc(489): pid=10076 :2022/06/05 20:54:21| negotiate_kerberos_auth: INFO: Starting version 3.1.0sq
negotiate_kerberos_auth.cc(548): pid=10076 :2022/06/05 20:54:21| negotiate_kerberos_auth: INFO: Setting keytab to /etc/squid/squid.keytab
negotiate_kerberos_auth.cc(572): pid=10076 :2022/06/05 20:54:21| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_10076
negotiate_kerberos_pac.cc(406): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: INFO: Got PAC data of length 568
negotiate_kerberos_pac.cc(180): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: INFO: Found 12 rids
negotiate_kerberos_pac.cc(188): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: Info: Got rid: 1411
negotiate_kerberos_pac.cc(188): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: Info: Got rid: 1114
negotiate_kerberos_pac.cc(188): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: Info: Got rid: 512
negotiate_kerberos_pac.cc(188): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: Info: Got rid: 4613
negotiate_kerberos_pac.cc(188): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: Info: Got rid: 1113
negotiate_kerberos_pac.cc(188): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: Info: Got rid: 1160
negotiate_kerberos_pac.cc(188): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: Info: Got rid: 1283
negotiate_kerberos_pac.cc(188): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: Info: Got rid: 1108
negotiate_kerberos_pac.cc(188): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: Info: Got rid: 1205
negotiate_kerberos_pac.cc(188): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: Info: Got rid: 1282
negotiate_kerberos_pac.cc(188): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: Info: Got rid: 513
negotiate_kerberos_pac.cc(188): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: Info: Got rid: 519
negotiate_kerberos_pac.cc(270): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: INFO: Got DomainLogonId S-1-5-21-3524909106-1290478399-726024510
negotiate_kerberos_pac.cc(291): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: INFO: Found 1 ExtraSIDs
negotiate_kerberos_pac.cc(357): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: INFO: Got ExtraSid S-1-5-21-3524909106-1290478399-726024510-572
negotiate_kerberos_pac.cc(486): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: INFO: Read 568 of 568 bytes 
negotiate_kerberos_auth.cc(806): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: DEBUG: Groups group=AQUAAAAAAAUVAAAAMtgZ0j8j60w+QUYrgwUAAA== group=AQUAAAAAAAUVAAAAMtgZ0j8j60w+QUYrWgQAAA== group=AQUAAAAAAAUVAAAAMtgZ0j8j60w+QUYrAAIAAA== group=AQUAAAAAAAUVAAAAMtgZ0j8j60w+QUYrBRIAAA== group=AQUAAAAAAAUVAAAAMtgZ0j8j60w+QUYrWQQAAA== group=AQUAAAAAAAUVAAAAMtgZ0j8j60w+QUYriAQAAA== group=AQUAAAAAAAUVAAAAMtgZ0j8j60w+QUYrAwUAAA== group=AQUAAAAAAAUVAAAAMtgZ0j8j60w+QUYrVAQAAA== group=AQUAAAAAAAUVAAAAMtgZ0j8j60w+QUYrtQQAAA== group=AQUAAAAAAAUVAAAAMtgZ0j8j60w+QUYrAgUAAA== group=AQUAAAAAAAUVAAAAMtgZ0j8j60w+QUYrAQIAAA== group=AQUAAAAAAAUVAAAAMtgZ0j8j60w+QUYrBwIAAA== group=AQUAAAAAAAUVAAAAMtgZ0j8j60w+QUYrPAIAAA==
negotiate_kerberos_auth.cc(815): pid=10067 :2022/06/05 20:54:21| negotiate_kerberos_auth: DEBUG: OK token=oYGyMIGvoAMKAQChCwYJKoZIgvcSAQICooGaBIGXYIGUBgkqhkiG9xIBAgICAG+BhDCBgaADAgEFoQMCAQ+idTBzoAMCAReibARq7Ev+J8r2O5JV6vCgljvAwIGk6TDz5EZpxf/2dGxsEmabpAXGMeEDA36SU5QofFv58EyzMlSVjz3ex34QG011OcTPB5HOwJH377muGewnlrRhojjzXw2ScdnVVXKB9tDwdGPRUMQKdTJ5Cg== user=user01@CORP.DOMAIN.RU
2022/06/05 20:54:21 kid1| Starting new external_acl_type helpers...
    current master transaction: master55
support_krb5.cc(63): pid=10077 :2022/06/05 20:54:22| kerberos_ldap_group: ERROR: Error while starting keytab scan : Key table file '/etc/squid/proxy.keytab' not found
support_ldap.cc(1020): pid=10077 :2022/06/05 20:54:22| kerberos_ldap_group: ERROR: Error during setup of Kerberos credential cache
yatakoi
() автор топика
Ответ на: комментарий от yatakoi

Эм… нашел где - в /etc/krb5.conf proxy.keytab был указан.

yatakoi
() автор топика
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.
nftables в Hyperbola
Admin
libbz2 in Fedora vs Debian