Home / server / Questions / 1166961
Accepted
exore
Asked: 2024-10-23 18:24:54 +0800 CST

how to authenticate one port only when squid listens on 2 ports

  • 772

I want squid to listen to ports 3128 and 3129. I want auth on 3129 and no auth on 3128. For now I have this config

# auth_param not shown but working

http_port 3128
http_port 3129
acl input_3128 myportname 3128
acl input_3129 myportname 3129
acl authenticated proxy_auth REQUIRED

http_access allow authenticated input_3129
http_access deny input_3129
http_access allow input_3128
http_access deny all

Unfortunately this does not work at all. Squid always require authentication.

example request:

curl -v --proxy http://myproxy.example.com:3128 http://debian.org/

Squid response:

* processing: http://debian.org/
10.1.2.3:3128...
* Connected to myproxy.example.com (10.1.2.3) port 3128
> GET http://debian.org/ HTTP/1.1
> Host: debian.org
> User-Agent: curl/8.2.1
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 407 Proxy Authentication Required
< Server: squid/5.9
< Mime-Version: 1.0
< Date: Wed, 23 Oct 2024 10:15:01 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3511
< X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
< Vary: Accept-Language
< Content-Language: en
< Proxy-Authenticate: Basic realm="Squid proxy-caching web server"
< X-Cache: MISS from myproxy
< X-Cache-Lookup: NONE from myproxy:3129
< Via: 1.1 myproxy (squid/5.9)
< Connection: keep-alive
<

Question

How to make squid require authentication only on port 3129 ?

proxy

2 Answers

  1. Best Answer

    When you're using the ACL type myportname, you are relying on the implicit default name, i.e. that your http_port 3128 is really http_port 3128 name=3128 and likewise for port 3129.

    Perhaps try using the myport ACL type instead, i.e. acl input_3128 myport 3128 and acl input_3129 myport 3129?

    Also, you might try sorting the http_access directives like this:

    http_access allow input_3128
http_access allow authenticated input_3129
http_access deny all

    That should allow the first http_access line to match any connections incoming to port 3128 without even hinting that authentication might be needed. If that does not match, the second rule will then match connections to port 3129, now with the authentication requirement in effect. The final deny all will catch anything that does not match either of the first two lines; you don't need a separate http_access deny input_3129 line at all.

    • 1

  2. @telcoM gave an explanation in the second comment. I post another solution based on this comment.

    On a line, all conditions are anded. So the trouble with

    http_access allow authenticated input_3129

    is that it checks first the authenticated condition. This condition triggers an early 407 answer for any non authenticated connection, whatever the port number.

    Now, if I use instead input_3129 authenticated, because of the implicit and, the authenticated condition is tried only when the input_3129 is met. So no early 407. Squid can go on and try the second http_access rule.

    http_access allow input_3129 authenticated
http_access allow input_3128
http_access deny all
    • 1