4

I have this squid configuration file which is supposed to protect squid from unauthenticated access by using basic auth.

Squid runs as a docker service and I would like to grant unauthenticated access for all other docker services. I observed that the services operate in the network range 10.0.0.1 - 10.0.255.254 (according squid's access_log).

When I access squid from the internet, basic authentication works properly.

When I access squid from a service's shell, it is still asking for authentication. The expected outcome would be free passage. What am I missing?

#port
http_port 1379

#dns
dns_nameservers 127.0.0.11 146.185.167.43 80.241.218.68 46.182.19.48 85.95.218.42 185.95.218.43 91.239.100.100 89.233.43.71

#logging
access_log /etc/squid/access_log
cache_log /etc/squid/error_log

#authentication
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/squid_auth
auth_param basic children 5
auth_param basic realm Proxy Authentication Required
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

#disable caching
cache deny all

#turn of persistent connections, so round robin works properly
client_persistent_connections off
server_persistent_connections off

#acl's

#local net
acl localnet src 10.0.0.0/16     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

#cache manager
acl manager url_regex -i ^cache_object:// /squid-internal-mgr/

#basic auth
acl auth_users proxy_auth squid

#smtp relaying
acl smtp port 25
acl smtps port 465
acl CONNECT method CONNECT

#safe ports
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl CONNECT method CONNECT


#protect against smtp attacks
http_access allow localhost manager
http_access deny manager

#allow only safe ports
http_access deny !Safe_ports

#prohibit to use the proxy as an smtp relay
http_access deny CONNECT !SSL_ports
http_access deny CONNECT smtp
http_access deny CONNECT smtps
http_access allow localnet
http_access allow localhost
http_access allow auth_users
http_access deny all

#remove headers
via off
forwarded_for off
forwarded_for truncate
follow_x_forwarded_for deny all
request_header_access Cache-Control deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all


#wire everything to parent
cache_peer hannibal parent 1279 0 no-query default
prefer_direct off
never_direct allow all
Jabb
  • 3,414
  • 8
  • 35
  • 58
  • How did you start squid and other service containers? I'm curious about squid container network configuration. Could you provide `docker network inspect `, pls? Keep in mind that containers may have own network namespace, so then your squid local network acl may be wrong. More details about your docker networking are needed to prove that. – Jan Garaj Mar 08 '20 at 23:14
  • You are exactly on the right track. It was a misconception how the restarting of services in docker swarm works. I kept restarting the container, which effectively created new containers instead of restarting the service and applying the correct configuration. I am willing to award the bounty to you. Feel free to make an answer out of your comment and I will accept it. – Jabb Mar 10 '20 at 08:11

1 Answers1

3

You need to (re)start docker swarm service properly

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
Jan Garaj
  • 25,598
  • 3
  • 38
  • 59