I need help with setting up Squid proxy on my Ubuntu machine. I want to configure it to use basic authentication and block any calls made on this machine that don't provide correct proxy credentials.
I have already installed Squid and added the necessary configuration for authentication using a set of credentials.
(config added at the end of this post)
When I make a curl call using proxy data, it seems to be using Squid proxy and working as expected
curl -v -x http://proxyuser:proxypassword@localhost:3128 httpbin.org/ip* Trying 127.0.0.1:3128...* TCP_NODELAY set* Connected to localhost (127.0.0.1) port 3128 (#0)* Proxy auth using Basic with user 'proxyuser'> GET http://httpbin.org/ip HTTP/1.1> Host: httpbin.org> Proxy-Authorization: Basic cHJveHl1c2VyOnByb3h5cGFzc3dvcmQ=> User-Agent: curl/7.68.0> Accept: */*> Proxy-Connection: Keep-Alive> * Mark bundle as not supporting multiuse< HTTP/1.1 200 OK< Server: gunicorn/19.9.0< Access-Control-Allow-Origin: *< Access-Control-Allow-Credentials: true< X-Cache: MISS from ubuntu< X-Cache-Lookup: MISS from ubuntu:3128< Via: 1.1 ubuntu (squid/4.10)< Connection: keep-alive{"origin": "127.0.0.1, 148.113.6.17"}* Connection #0 to host localhost left intactWhen I run below curl without proxy data it still works. How do we restrict the below call when no proxy info is present in the curl cmd?
curl -v httpbin.org/ip {"origin": " 148.113.6.17" }Squid Config -
auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid/pswdsauth_param basic realm proxyacl authenticated proxy_auth REQUIREDhttp_access allow authenticatedacl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machinesacl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)acl localnet src fc00::/7 # RFC 4193 local private network rangeacl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machinesacl SSL_ports port 443acl Safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl CONNECT method CONNECThttp_access deny !Safe_portshttp_access deny CONNECT !SSL_portshttp_access allow localhost managerhttp_access deny managerinclude /etc/squid/conf.d/*http_access allow localhostacl whitelist src "/etc/squid/whitelist"http_access deny allhttp_port 3128coredump_dir /var/spool/squidrefresh_pattern ^ftp: 1440 20% 10080refresh_pattern ^gopher: 1440 0% 1440refresh_pattern -i (/cgi-bin/|\?) 0 0% 0refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-imsrefresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-imsrefresh_pattern \/InRelease$ 0 0% 0 refresh-imsrefresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-imsrefresh_pattern . 0 20% 4320