subject:"\[squid\-users\] squid 3.1 ldap authentication"

Re: [squid-users] squid 3.1 ldap authentication

2016-01-30 Thread Eliezer Croitoru


Just to update the thread.

A basic CLI test showed it's not an issue related to anything in the 
LDAP helpers or settings.
The issue was IPV6 network level issue, there was a default gateway but 
for some unknown reason there was no IPV6 connectivity.
The test host could be any host with both IPV6 and IPV4 dns records that 
has at-least one IPV6 record. Due to request_start_timeout default of 5 
minutes the site took about 5 minutes to show up after the IPV6 try was 
timed out.
The basic way to test it is running a simple script on the host machine 
that will test IPV6 connectivity. The right way to do that should be 
using a basic IPV6 ping like this script:

- http://paste.ngtech.co.il/pxizenek2
- http://ngtech.co.il/squid/ipv6_test.sh

But since it is known that opening the whole IPV6 ICMP protocol in 
FireWalls opens network vulnerabilities it is commonly disabled(while it 
be opened properly) and there for makes it's an issue to test IPV6 
connectivity based only on ICMP.


Example ip6tables ICMPv6 rules that will allow a router to pass a basic 
ping6 test:
ip6tables -A FORWARD -p icmpv6 --icmpv6-type destination-unreachable -j 
ACCEPT

ip6tables -A FORWARD -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A FORWARD -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
ip6tables -A FORWARD -p icmpv6 -j DROP

Later I will upgrade the script to test tcp\http level connectivity so 
it will be more useful as a debugging tool.


* http://www.squid-cache.org/Doc/config/request_start_timeout/
* https://www.cert.org/downloads/IPv6/ip6tables_rules.txt
* https://www.sixxs.net/wiki/IPv6_Firewalling

On 29/01/2016 03:50, Nando Mendonca wrote:

Thanks! I ran tcpdump, didnt really notice anything. Any other suggesstions?

Thanks,
Nando


On Jan 25, 2016, at 10:07 AM, Anders Gustafsson  
wrote:

Do a packet trace on the LDAP connection. I bet the delay happens there. Also: 
I suspect that it might do the same LDAP lookup for EVERY HTTP session of which 
there might be thousands for a complex page.



nando mendonca  2016-01-25 17:52 >>>

I'm running squid 3.5.12, i'm using ldap for authentication. When trying to
browse the internet from clients it takes up to 10 minutes for the website
to load. Can you please assist me in troubleshooting what the issue is?
Below is my squid.conf file.


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.1 ldap authentication

2016-01-28 Thread Eliezer Croitoru


  
  
Hey Nando,
  
  Can you test something?
  On 25/01/2016 17:52, nando mendonca wrote:


  external_acl_type

ldap_group %LOGIN /usr/local/squid1/libexec/ext_ldap_group_acl
-R -b "ou=groups,dc=gcsldap,dc=corp,dc=domain,dc=com" -D
"cn=cost,ou=admin,dc=gcsldap,dc=corp,dc=domain,dc=com" -f
"(&(memberuid=%u) (cn=%a))" -w password -h ldap.corp.domain.com
  
  


In the above replace the "%LOGIN" with "%un"  and see what
  happens.
The differences are mentioned at:
  http://www.squid-cache.org/Doc/config/external_acl_type/
  
Also comparing your command to what I have tested with I see
something different.
My test command can be seen in this ML thread: 
-
http://lists.squid-cache.org/pipermail/squid-users/2015-July/004874.html
I do not have the executable in my hands so I don't know the meaning
of  the "-R" flag and compared to the command I have used it's
different.
  
Try the above and we will see the results,
Eliezer

  

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.1 ldap authentication

2016-01-25 Thread nando mendonca

Hi All,

I'm running squid 3.5.12, i'm using ldap for authentication. When trying to
browse the internet from clients it takes up to 10 minutes for the website
to load. Can you please assist me in troubleshooting what the issue is?
Below is my squid.conf file.




cache_mem 1048 MB

cache_log /usr/local/squid1/var/logs/cache.log

cache_swap_high 95

cache_swap_low 90

dns_nameservers x.x.x.x



#acl manager proto cache_object

#acl localhost src 127.0.0.1/32 ::1

#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1


# Example rule allowing access from your local networks.

# Adapt to list your (internal) IP networks from where browsing

# should be allowed

#acl localnet src 10.0.0.0/8# RFC1918 possible internal network

#acl localnet src x.x.x.x.0/24

#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network

#acl localnet src 192.168.0.0/16# RFC1918 possible internal network

#acl localnet src fc00::/7   # RFC 4193 local private network range

#acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
machines


## Ports to allow:

acl Safe_ports port 443 # https

acl Safe_ports port 80  # http

acl Safe_ports port 8080

#acl Safe_ports port 21 # ftp

#acl Safe_ports port 70 # gopher

#acl Safe_ports port 210# wais

#acl Safe_ports port 1025-65535 # unregistered ports

#acl Safe_ports port 280# http-mgmt

#acl Safe_ports port 488# gss-http

#acl Safe_ports port 591# filemaker

#acl Safe_ports port 777# multiling http


## CONNECT method:

#acl CONNECT method CONNECT


## LDAP Authentication ##

auth_param basic program /usr/local/squid1/libexec/basic_ldap_auth -b
"dc=ldap,dc=corp,dc=domain,dc=com" -f "uid=%s" ldapserv.corp.domain.com

auth_param basic children 5

#auth_param basic realm Web-Proxy

auth_param basic credentialsttl 30 minutes

acl ldap-auth proxy_auth REQUIRED


## Visible Hostname ##

visible_hostname proxy-01



external_acl_type ldap_group %LOGIN
/usr/local/squid1/libexec/ext_ldap_group_acl -R -b
"ou=groups,dc=gcsldap,dc=corp,dc=domain,dc=com" -D
"cn=cost,ou=admin,dc=gcsldap,dc=corp,dc=domain,dc=com" -f "(&(memberuid=%u)
(cn=%a))" -w password -h ldap.corp.domain.com



#external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -R
-b "ou=groups,dc=mydomain,dc=net" -D "cn=root,dc=mydomain,dc=net" -f
"(&(sn=%u) (cn=%a))" -w password -h localhost


#http_access allow ldap-auth


## ACL's for group checking ##


acl yumrepo external ldap_group yumrepo

acl winupdate external ldap_group winupdate

acl network-update external ldap_group network-update


## ACL's for url domains ##


acl rule1 url_regex -i "/usr/local/squid1/etc/allowed/yumrepo/domains"

acl rule2 url_regex -i "/usr/local/squid1/etc/allowed/winupdate/domains"

acl rule3 url_regex -i
"/usr/local/squid1/etc/allowed/network-update/domains"



# Only allow cachemgr access from localhost

http_access allow manager localhost

http_access deny manager


# Deny requests to certain unsafe ports

http_access deny !Safe_ports


# Deny CONNECT to other than secure SSL ports

#http_access deny CONNECT !SSL_ports


# We strongly recommend the following be uncommented to protect innocent

# web applications running on the proxy server who think the only

# one who can access services on "localhost" is a local user

http_access deny to_localhost


#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

#


# Example rule allowing access from your local networks.

# Adapt localnet in the ACL section to list your (internal) IP networks

# from where browsing should be allowed

#http_access allow localnet

#http_access allow localhost


http_access allow rule1 ldap-auth yumrepo

http_access allow rule2 ldap-auth winupdate

http_access allow rule3 ldap-auth network-update


# And finally deny all other access to this proxy

#http_access deny all


# Squid normally listens to port 3128

http_port 8080


# Uncomment and adjust the following to add a disk cache directory.

maximum_object_size 1000 MB

cache_dir ufs /var/spool/squid 1000 16 256


# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid




# Add any of your own refresh_pattern entries above these.

#refresh_pattern ^ftp:  144020% 10080

#refresh_pattern ^gopher:   14400%  1440

#refresh_pattern -i (/cgi-bin/|\?) 00%  0

#refresh_pattern -i \.(iso|avi|wav|mp3|mp4|mpeg|swf|flv|x-flv)$ 43200 90%
432000 override-expire override-lastmod ignore-no-cache ignore-no-store
ignore-private

#refresh_pattern -i .(deb|rpm|exe|zip|tar|tgz|bz2|ram|rar|bin)$  129600
100% 129600 override-expire ignore-no-cache ignore-no-store


refresh_pattern .   0   20% 4320

debug_options ALL,1 33,2 28,9






























































On Wed, Oct 7, 2015 at 12:18 PM, nando mendonca 
wrote:

> Hi,
>
> I have squid 3.1

Re: [squid-users] squid 3.1 ldap authentication

2015-10-10 Thread Amos Jeffries

On 10/10/2015 8:16 a.m., nando mendonca wrote:
> Hi Amos,
> 
> Below is my squid.conf configuration. I can login and browse any site
> entering my ldap username. This is working fine.
> 
> Below i would like to use squid_ldap_group -R to allow certain ldap groups
> to browse only certain sites. Below "admins" and "sales" are two ldap
> groups, can i allow the "admins" group to browse a couple of sites and deny
> all others, and also have the "sales" group browse different sites and deny
> all other ldap groups access?
> 
> When i run 'squid -k parse', i'm not seeing any configuration errors.

Then your Squid is a bit outdated. Please consider an upgrade.
The current Squid will at least complain about the manager and localhost
ACL definitions being built-in.


> #
> # Recommended minimum configuration:
> #
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> 
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 192.168.30.0/24# RFC1918 possible internal network
> acl localnet src 192.168.20.0/24
> #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> #acl localnet src 192.168.0.0/16# RFC1918 possible internal network
> acl localnet src fc00::/7   # RFC 4193 local private network range
> acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged)
> machines
> acl SSL_ports port 443
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 8080
> acl CONNECT method CONNECT
> auth_param basic program /usr/lib64/squid/squid_ldap_auth -b
> "dc=test,dc=corp,dc=domain,dc=com" -f "uid=%s" test.corp.domain.com
> auth_param basic children 5
> #auth_param basic realm Web-Proxy
> auth_param basic credentialsttl 30 minutes
> acl ldap-auth proxy_auth REQUIRED
> http_access allow ldap-auth

The problem you have is that you are allowing access to anyone who is
authenticated. End of story. No other permissions required. The
remainder of your access control config does nothing.

You ned to do this instead:

 http_access deny !ldap-auth


> 
> #http_access deny all
> visible_hostname proxy-server-01
> 
> 
> ## Block access to Google ##
> #external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -R
> -b "dc=test,dc=corp,dc=domain,dc=com" -D
> "ou=Groups,dc=test,dc=corp,dc=domain,dc=com" -f "(&(objectclass=person)
> (sAMAccountName=%v) (memberof=cn=%a,
> ou=Groups,dc=test,dc=corp,dc=domain,dc=com))" -h test.corp.domain.com
> 
> #acl admin external ldap_group admin
> #acl sales external ldap_group sales
> 
> #acl rule1 url_regex -i "/etc/squid/blacklists/admin/domains"
> #acl rule2 url_regex -i "/etc/squid/blacklists/sales/domains"
> 
> #http_access allow admin rule1
> #http_access allow sales rule2
> #http_access deny all
> 

One you are using "deny !ldap-auth" for the auth check these group rules
will have a chance of doing something.


However, all of the above http_access lines should be placed below the
line which says "INSERT YOUR OWN RULE(S) HERE"

> 
> #
> # Recommended minimum Access Permission configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> 

Current best practice is to place these manager rules below the "CONNECT
!SSL_Ports" line.


> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> http_access deny to_localhost
> 
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #

Notice what the line above says. And how your authentication rules are
all up top well above the default rules that protect your system against
DoS and protocol abuse attacks.


> 
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> 

Once you have authentication going you may want to remove these.


> 
> # And finally deny all other access to this proxy
> #http_access deny all
> 

Re-enable that "deny all" rule as the last http_access line.

Amos

___
squid-users

Re: [squid-users] squid 3.1 ldap authentication

2015-10-07 Thread Amos Jeffries

On 8/10/2015 8:18 a.m., nando mendonca wrote:
> Hi,
> 
> I have squid 3.1 installed using ldap authentication. When i access a
> browser i enter my ldap credentials and it works fine. I’m able to browse
> all sites without any issues.
> 
> 
> Is there a way to use ldap groups to allow certain groups access to a few
> sites on the internet and then pretty much block everything else?

Please read this page 

Particularly the sections titled "Common Mistakes".

> 
> I’m able to restrict access to only a couple of sites and block everything
> else without using ldap group authentication, was just hoping this can be
> done with ldap group authentication.

Well, no because you cannot authenticate a whole group. There is no such
thing as "ldap group authentication"

There is group *authorization*, with LDAP protocol used to fetch the
group details.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] squid 3.1 ldap authentication

2015-10-07 Thread nando mendonca

Hi,

I have squid 3.1 installed using ldap authentication. When i access a
browser i enter my ldap credentials and it works fine. I’m able to browse
all sites without any issues.


Is there a way to use ldap groups to allow certain groups access to a few
sites on the internet and then pretty much block everything else?


I’m able to restrict access to only a couple of sites and block everything
else without using ldap group authentication, was just hoping this can be
done with ldap group authentication.


Thanks,
Nando
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squid 3.1 ldap authentication

Re: [squid-users] squid 3.1 ldap authentication

Re: [squid-users] squid 3.1 ldap authentication

Re: [squid-users] squid 3.1 ldap authentication

Re: [squid-users] squid 3.1 ldap authentication

[squid-users] squid 3.1 ldap authentication

6 matches

Site Navigation

Mail list logo

Footer information