RE: [squid-users] Squid proxy with white list and Apache Tomcat web server on same machine?
>The Ubuntu Server had an Apache Tomcat web server on it that we were not >using at the time. It seems the Squid has disabled it. Is it possible to >run both on the same server? >I have crawled the archives but do not see any >reference to this specific issue. Right now the Squid and the Apache Tomcat >are for the LAN only with no external access planned in the near future. > >When I run the tomcat test http://localhost/ >the error message is >Firefox can't establish a connection to the server at localhost. Don't have time to look over your config, but I doubt one disabled the other. So you are trying to browse a local http service on the console of the squid server, through the proxy? Tail your access.log, you'll see what is happening but likely you have an acl blocking localhost access. You mention you have no external access, what do you cache with squid?
RE: [squid-users] Gmail HTTPS Block
>Is the any way to block HTTPS for some web sites? > >I have to block access to Gmail accounts. > >It's done for http but I did not find any solution for https. > >This is part of my configuration: > >acl gmail1 dstdomain google.com >acl gmail2 dstdomain google.ca >http_access deny CONNECT gmail1 gmail2 This just came up yesterday, use something like a regex and match google.com or google.ca and block like this for eg: acl test url_regex google\.com http_access deny test Or put the list in a file to make it easier to maintain. Check the man page, url_regex is case sensitive... jlc
RE: [squid-users] Block Facebook message page
>Joseph, there's no point of matching https because when your browser >using SQUID as a proxy, > >it sends CONNECT request and then exchange SSL traffic which squid >can't/won't touch at all. so the acls, they can't be applied. Good point, I match on "facebook.com" as a whole here and it works fine.
RE: [squid-users] Block Facebook message page
>You can't do it, since HTTPS traffic is tunneled through squid, can't >be filtered or cached. If you followed what he was doing, you would have seen his error and known you can very much do what "he" was trying to do but he failed as a result of the regex. You're match might change to just www.facebook.com for example or make a case for 1 or none "s"...
RE: [squid-users] Block Facebook message page
>acl fb1 url_regex -i >^http://www.facebook.com/ajax/gigaboxx/endpoint/MessageComposerEndpoint.php >http_access deny fb1 > >but it does not work for HTTPS Did you match for https?
RE: [squid-users] Squid + NTLM Auth + MSN
>I found on the logs that msn is not sending the authentication >information so squid is denying the connection. How have you configured Windows to use a proxy? Does Live know about this?
RE: [squid-users] Squid as Proxy for Exchange 2010
>When i >setup the Exchange server I used a SSL certificate with the domain >mail.myco.com. Now that I am considering using Squid I was wondering >how I would set that up since i have already used the domain and if I >could use a separate SSL Certificate with the same domain name on the >SQUID server. > >Any other suggestions on how to best configure this would be appreciated. While there might be a better way, the private key and the public key are stored together so you can export and separate them for use on non-windows systems thereby validating the squid server to respond as well. Others who have actually done this might evaluate this procedure but in my limited ssl knowledge, I presume this should work? A quick web search yields this: http://www.petefreitag.com/item/16.cfm hth, jlc
RE: [squid-users] R: RE: [squid-users] Squid - ldap auth against active directory 2008 R2
>As I >said: with AD 2003 was working well, now with AD2008 is not working That doesn’t help us, so you upgraded the domain? Regardless, you're not auth'ing to the "same" server so something changed. >auth_param basic >program usr/sbin/squid_ldap_auth -d -v "3" -s "sub" -b "dc=example, dc=org" -D >"cn=example-Auth-User,ou=konten,ou=User city,dc=city,dc=example,dc=org" -w >"f" -f "sAMAccountName=%s" -h "ldapserver.ab.example.org" -p "3268" Check the firewall on the 2008 server, it may not be allowing connections to that port for example. More specifically, are you intentionally querying the GC port versus the LDAP port? As I don’t know your topology, that may not have a view of what you are looking for...
RE: [squid-users] Squid - ldap auth against active directory 2008 R2
>On the cache.log of squid i can see a error message "could not bind to bindn" >server" "can´t contact ldap server. > >Could someone help me to let it work? Probably not without seeing your config and knowing your AD setup. If you upgraded, has your ldap topology remained exactly the same? Were you binding anonymously previously as by default anon binds are disabled in AD. Are you binding to the same user DN as you were and does that user DN still exist? jlc
RE: [squid-users] Squid + LDAP + Active Directory
>Yes using -D and -w switches, with creds known to work on other devices >doing ldap (MFDs for one). Redact the sensitive parts, and post the actual cmd in your conf. Likely the domain/user syntax is wrong.
RE: [squid-users] Squid + LDAP + Active Directory
>I'm sure this has been asked before - working on a squid box that is to >Auth to AD. Unable to authenticate and getting error in squid cache log: >WARNING: could not bind to binddn 'Invalid credentials' By default, Windows doesn't allow anon binds, are you using a bind account and if so are the creds rights?
RE: [squid-users] Kerberos / SASL for squid_ldap_group
>But then, in 2006, Henrik Nordstrom says[2] neither squid_ldap_group nor >squid_ldap_auth support Kerberos SSO. After the initial posting of the patch >in '04, I can't >find any more references to it on the mailinglists. See squid_kerb_ldap. http://squidkerbauth.sourceforge.net/ jlc
RE: [squid-users] ldap fallback not working
>Anything dumping to stderr from the helper appears in the squid cache.log. Amos, That confirms it, so any idea's if there is a workaround, even with squid_kerb_ldap have a default domain set (-D) it still didn’t like the unqualified name.
RE: [squid-users] ldap fallback not working
>I think its a matter of "username" (Basic) vs "dom...@username" >(Kerberos). > >You can test this by replacing the group lookup with a fake >external_acl_helper which logs the credentials passed to the group helper. >Doing a few requests through both auth mechanisms will show you what >difference the group helper sees. Amos, I made a simple perl script that takes STDIN and writes it to a file in /var/log/squid that is owned by squid:squid and returns "OK" but its not working. Either I missed the error with ALL,9 (I didn’t know which module to focus on). How does one get a helper to log in cache.log like the included binaries do when you enable debug in them? Thanks! jlc
[squid-users] ldap fallback not working
I have a working setup with squid_kerb_auth and squid_kerb_ldap for authorization with group membership, I want to add squid_ldap_auth for a basic auth_param but when a client falls back to basic and uses squid_ldap_auth, squid_kerb_ldap errors out. I have set the default domain in squid_kerb_ldap. Will squid_kerb_ldap not work without a kerb client? I thought it's authorization to AD was based on the servers machine account. Missing something obvious here... Thanks! jlc
[squid-users] Error loading pdf behind squid
Users are needing access to the pdf's in http://ccemc.ca/process/guidelines such as http://ccemc.ca/_uploads/CCEMC-166-Proposal-Guide6.pdf but in ie8 and ff 3.6.8 the pdfs fail to render, w/o the proxy they seem to always load. I have tried in squid-3.0.STABLE20 and squid-3.1.4 and the issue is the same. Any known workarounds for this behavior, the config is nearly stock with the exception of a kerb auth params... Thanks! jlc
RE: [squid-users] Squid and squidguard
>what mean redirect_children. First hit on goggle explains it well:) Its in the config manual: Tag Nameredirect_children Usage redirect_children number Description This tag is used to set the number of redirect processes to spawn Default redirect_children 5 Example redirect_children 10 Caution If you start too few Squid will have to wait for them to process a back log of URLs, slowing it down. If you start too many they will use RAM and other system resources.
RE: [squid-users] Re: squid_kerb_ldap clarification
> Here is a short overview what squid_kerb_ldap does. > 1) A user authenticates with either NTLM (username will be NT-DOM\user) >or Kerberos (username will be u...@kerb-dom) > 2) squid_kerb_ldap uses the -N flag to map NT-DOM to KERB-DOM for NTLM >authenticated users > 3) Uses DNS SRV records to find AD server for KERB-DOM > 4) Uses the Kerberos Keytab to authenticate an ldap connection to AD >using SASL/GSSAPI. > 5) Searches AD if the user is member of the group given by -s ( The newer >squid_kerb_ldap version has also an -m option to allow recursive search >(e.g. check if a group is a member of another group ) > > Does this help ? Markus, Sure does... So by creating a computer account in AD, I can avoid the LDAP bind account I was using with the older squid_ldap_auth helper, great. Thanks! jlc
[squid-users] squid_kerb_ldap clarification
We have a mixed 2k -> 2k8r2 environment. Currently I am using ntlm_auth and Samba for the 2k machines, and squid_kerb_auth/squid_ldap_auth for the newer machines to manage access based on AD group membership. Do I understand correctly that if I use squid_kerb_ldap with the -N I can provide group authentication for Kerb and NTLM based clients without an ldap bind account for our AD ldap server that does not accept anonymous binds? Thanks, jlc
RE: [squid-users] Join Squid to Windows Domain Controller : Configuring Squid for NTLM with Winbind Authentication on CentOS 5
>> I updated the article for 5.5, why are you using 5.4? > >There is no special reason for I'm been using CentOS 5.4. It was the >newer version available when I set successfully my squid proxy and I >haven't updated it yet. By the way, there is no citation in your >article that it is for CentOS 5.5 (only?). Good point, I have updated the article... jlc
RE: [squid-users] Join Squid to Windows Domain Controller : Configuring Squid for NTLM with Winbind Authentication on CentOS 5
>Stop what? I've understood stop doing only step 4, right? Any way, I >was following >http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5 >article and I didn't find wbpriv group on my CentOS 5.4 box (Yeah, >authconfig, krb5-workstation and samba-common are installed!). I updated the article for 5.5, why are you using 5.4? >To >finish, I've used another CentOS 5.4 machine and installed from >scratch authconfig, krb5-workstation and samba-common and guess, >/var/cache/samba/winbindd_privileged directory was created with 750 >root:squid rights! Right, as it was back then... >I wonder, should I create wbpriv group, assign squid user to it and >make root:wbpriv the owner of /var/cache/samba/winbindd_privileged >directory in order to make my environment more secure? Any help with >this will be very appreciated. Build off a 5.5 disc, then follow that guide. jlc
RE: [squid-users] Join Squid to Windows Domain Controller : Configuring Squid for NTLM with Winbind Authentication on CentOS 5
> and set the server as a winbind server in >the wizard will automatically make the smb server a pdc which will be >your primary domain controller. So in his Windows 2003 Active Directory Forest, he should make a Samba server a PDC? Really?
RE: [squid-users] Join Squid to Windows Domain Controller : Configuring Squid for NTLM with Winbind Authentication on CentOS 5
>I have followed these steps and I keep getting this error : > > >Password: >[2010/06/16 16:25:28, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(367) > Error in domain join verification (credential setup failed): >NT_STATUS_NOT_SUPPORTED > >Unable to join domain EXCH02. > >Shutting down Winbind services: [ OK ] >Starting Winbind services: [ OK ] >[r...@squid squid]# > Sanitize and post your smb.conf and krb5.conf. Based on your last post, I am guessing there is a misconfiguration there. Pending that, you might look into possible configuration of AD preventing your version of Samba from working. Although you are using the CentOS 5 Config example, what distro and Samba package are you using? Out of curiosity, what client OS's are you supporting with this proxy?
RE: [squid-users] Join Squid to Windows Domain Controller : Configuring Squid for NTLM with Winbind Authentication on CentOS 5
>Did anyone make it works ? : > >http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5 Of course, it was written while being built, then retested immediately after. >authconfig --enableshadow --enablemd5 --passalgo=md5 >--krb5kdc=ads.example.local ^ Really? >The error that I get is : > >[2010/06/14 16:39:42, 0] libads/kerberos.c:ads_kinit_password(228) > kerberos_kinit_password u...@abc.xyz.com failed: Client not found in >Kerberos database Well that's not surprising, I doubt your real domain was ads.example.local...
RE: [squid-users] squid rewrite & squidguard
>2010-05-31 16:17:31 [2785] squidGuard 1.3 started (1275319051.335) >2010-05-31 16:17:31 [2785] squidGuard ready for requests (1275319051.340) >2010-05-31 16:17:31 [2785] source not found >2010-05-31 16:17:31 [2785] no ACL matching source, using default >http://proxy.cp.mydomain.com/block.html 192.168.6.66/- - - >2010-05-31 16:17:31 [2785] squidGuard stopped (1275319051.341) > >But when running within Squid, it does not seem to be taking it? Did I >miss anything in the squid.conf file ? I looked online and couldn't >spot any error. FWIW, there is a squidguard mailing list that is pretty helpful. Your problem is permissions almost certainly, you ran this and the db creation as root (or someone), so now the user that squid runs the rewriter as does not have any access privs to the log files and/or bl/db's... Check the first two directives in your conf, see who can write there. HTH, jlc
[squid-users] sarg and Squid 3 Stable20
Using the redhat package on CentOS 5x64, sarg faults and can't generate all of the files needed for the view. This worked on the older version in the main repo, is there something known to change to allow sarg to work or is the issue unexpected? Thanks! jlc
[squid-users] RE: Kerberos Authentication and LDAP Authorization
>I´ve added the following to squid.conf: > >external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b >"CN=Users,DC=heidelberg,DC=bw-online,DC=de" -f >"(&(cn=%g)(memberUid=%u)(objectClass=ebay))" -B "CN=Users" -F "(CN=%s)" -D >>"CN=ldap,CN=Users,DC=heidelberg,DC=bw-online,DC=de" -w "PASSWORD" -h >dc2.heidelberg.bw-online.de -v 3 -K > >ebay ist he group that contains the users which should be allowed, this group >is in the container Users. The user to read the AD is ldap, also located in >the container Users. > >I´ve the deleted the acl and the http_access for the authenticated users with >kerberos and added the following: > >acl ldapgroup-access external ldapgroup @HEIDELBERG.BW-ONLINE.DE That's wrong, according to you, ebay is the group? xternal_acl_type ldapgroup %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "DC=domain,DC=local" -D "CN=LDAP,OU=Service Accounts,OU=Some OU,DC=domain,DC=local" -W /etc/squid/squid_ldap_group_secret -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,OU=Some OU,OU=Another OU,DC=domain,DC=local))" -h 192.168.0.2 -d -K acl ldapgroup-access external ldapgroup ebay That's how I do it. >http_access allow all ldapgroup-access > >But now, event members oft he ebay-group get a denied. Can anyone see my >mistake ? Probably finish that with: http_access deny ! http_access allow ldapgroup all You can also run that external_acl_type from the cli and enter user/group pairs separated by a space and see the results. Also adding a -d will show what was sent as a query to the ldap server ni your cache log. Hth, jlc
[squid-users] Supporting ie6/win2k clients
Is there an alternative to ntlm_auth supporting these browsers in active directory to facilitate access w/o asking for creds (such as if used with LDAP auth) with out joining the server to active directory and using Samba? We have Kerberos auth functioning and the few win2k/ie6 clients obviously don't authenticate. I have an LDAP fallback and want to avoid Samba. Thanks, jlc
RE: [squid-users] squid_ldap_group trouble
>> Is there a way to show what the helper is doing in the log file? > >http://www.squid-cache.org/Versions/v3/3.1/manuals/squid_ldap_group > >Looks like the -d debug option. Amos, Can't believe I missed that, it needed the '-K'. Where you get the patience to deal with such careless malarkey escapes me, you are truly a gem and that was greatly appreciated:) Stay well, jlc
RE: [squid-users] squid_ldap_group trouble
>Perhapse the fact that Kerberos works with anonymous binary blobs? no >username in sight. You have to pardon me, I am not familiar enough with the inner workings of Kerberos to understand what a binary blob is wrt to Kerberos:) >Or if not that, something in the elided section "<...>". I omitted it as it worked from the cli, but possibly something in the syntax when used in the conf file is wrong (wrapped intentionally here)? external_acl_type ldapgroup %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "DC=domain,DC=local" -D "CN=LDAP,CN=Users,DC=domain,DC=local" -w "password" -f "(&(objectclass=person)(sAMAccountName=%v) (memberof=cn=%a,CN=Users,DC=domain,DC=local))" -h 10.0.0.2 >The bare http_access logic is fine but assumes the LDAP group helper can >handle what Kerberos uses for a username. Is there a way to show what the helper is doing in the log file? Thanks Amos, jlc
[squid-users] squid_ldap_group trouble
I am trying to supplement squid_kerb_auth with squid_ldap_group, from the cli, my external_acl_type string works fine, username and group pairs return expected results. Disregarding the ldap group check, the following authenticates correctly: acl auth proxy_auth REQUIRED http_access deny !auth http_access allow auth localnet http_access deny all But when I modify it as follows it breaks: external_acl_type ldapgroup %LOGIN /usr/lib64/squid/squid_ldap_group <...> acl auth proxy_auth REQUIRED acl acl_ldap external ldapgroup adGroup http_access deny !auth http_access allow auth acl_ldap localnet http_access deny all Anyone see what I have done wrong? Thanks, jlc
RE: [squid-users] kerberos authentication and ldap
>The patch is already included since the following STABLE versions: > >2.7 STABLE1 >3.0 STABLE2 Guido, Thanks, I should have read all the comments in the post:) Do you know if it's possible to facilitate the following scenario where access is auth'ed by Kerberos, and an ldap external_acl_type checks group membership without a specific bind account, but uses the Kerberos auth'ed user as the bind account? Thanks, jlc
[squid-users] kerberos authentication and ldap
We are getting some Win7 machines so I am migrating our ntlm setup to Kerberos. Looking at Markus Moeller's kerb guide, I see that it doesn't state how to control access after successful auth. Looking online, http://klaubert.wordpress.com/2008/01/09/squid-kerberos-authentication-and-ldap-authorization-in-active-directory/ suggests an ldap companion method but this involves a patch. Is that patch still needed, or does there exist a stock approach to facilitate this, as our access is done by group ad membership? Thanks, jlc
RE: [squid-users] ntlm_auth issue
>After configuring everything according to this : >http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory >I got this error : > >[2009/11/01 15:36:11, 0] libads/sasl.c:ads_sasl_spnego_bind(330) >kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid >credentials >Failed to join domain: Invalid credentials > >Anyone ever facing the same problem or have any idea about this error? >I cannot join Linux box the AD. >FYI, kinit, net ads info and klist success (ticket acquired). Well, starting with the obvious, how are you formatting the username you are presenting? Do you have control over AD, are there any configuration settings changed from the default such as those relating to locking it down? Also, there is a much simpler approach here: http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5
RE: [squid-users] Re: Win7/ie8 and moving from ntlm to kerb auth
>What do you mean with maintain a windows account ? You usually create it >once. If you run squid on Windows you don't need a keytab. Markus, The account must be created, then maintained in ad which is a burden I am hoping to avoid:) With pw aging and policies, I have to watch when it gets locked out etc and reset everything. Any ideas how to get around it? Thanks! jlc
[squid-users] Win7/ie8 and moving from ntlm to kerb auth
To get kerb auth in Squid functioning, is the only procedure that is available make use of a keytab, or are there alternatives which don't require a windows account for a keytab to be maintained? Thanks! jlc
RE: [squid-users] yes or no question
>Good day. >I've checked Russian FAQ and did not find the answer to my question. >I have a net with 20 computers. I want to block access to certain sites >forbid to download of certain types of files (*.mp3, *.avi e.t.c.). >Is it possible with Squid? For now I just want "yes" or "no" because the >rest I'll try to find myself. >Regards, your potential user. Sure, use a regex on the url, but that's not going to be water tight. Maybe someone has a better idea? jlc
[squid-users] RE: proxyauth for certain active directory users
>My sperator is + Ok, then you simply separate domain and group with a plus. It doesn't need to be escaped. >I've tried all kinds of things: > >auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic >--require-membership-of=domain\\"Domain Users" >auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic >--require-membership-of="domain\\Domain Users" >auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic >--require-membership-of="domain\Domain Users" >auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic >--require-membership-of="domain\\Domain Users" >auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic >--require-membership-of="Domain Users" Well, none of those actually look right:) I am guessing of the built in group you want to actually use is "Domain Users" then your syntax would be: --require-membership-of=domain+Domain\ Users If your using the domain name in the string, then make sure: winbind use default domain = false Also, not knowing your domain name, mine has a "-" in it, so I write my string like this: --require-membership-of=domain\-name+Squid I suggested you run it manually, you'll see what's going on immediately. (Or check the logs :>) >From the console on my proxy: #/usr/bin/ntlm_auth --require-membership-of=DOMAIN\-NAME+Domain\ Users --username=jcasale password:<...> NT_STATUS_OK: Success (0x0) HTH... jlc
[squid-users] RE: proxyauth for certain active directory users
>I have everything setup as documented but its not working. The >proxy is joined to the domain, wbinfo -g/-u gives results. Without >the --require-membership-of switch If I supply a valid domain users >credentials it works. This is running latest build of 2.7. >NTLM Authentiation >auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp >--require-membership-of="domain\somegroup" I only have a production rig setup and I can't interrupt it, but off the top of my head I would assume your winbind separator is a "\" but if I recall the needed syntax when using the slash as a separator, you need to escape the slash:) Try a \\ and see if that works, or set winbind to use the default domain possibly and just put the group name in? Anyway, sorry for not being more precise, but that should help. You can run ntlm_auth manually to view the output for debug purposes. That should yield any config errors clearly. jlc
[squid-users] RE: proxyauth for certain active directory users
>Sorry for the silly question, I've been using squid to allow access to users >on a domain, but how can I limit access to users only in a certain security >group on the domain. Check the wiki out. Once they are in a group, you specify group access in the ntlm_auth helper something like this: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=EXAMPLE+ADGROUP The group syntax should correlate to your winbind separator defined in your smb.conf.
[squid-users] Website not working through squid
We have users trying to use www.aircanada.com and the site loads but then gives a message about being unavailable after its clearly rendered and then shows an "Operation Aborted" error and displays a Website Unavailable page? There is nothing in the log that looks suspicious, any ideas where to look? Using 2.6Stable21 on CentOS 5.3 Thanks, jlc
RE: [squid-users] AD intergration
>Hi, >Can anybody provide me with a good tutorial on how to integrate windows >2003 AD to authenticate >Squid using NTLM. My environment is CenOS5 running Squid 2.6 and Windows >2003 R2 Standard (LDAP v3). >Thanks in advance >A. Khan Check the wiki :) http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
RE: [squid-users] Squid 3.0 and Active Directory
>any other ideas? Well your problem should be the simplest to diagnose. Does User1's pc have direct access to the internet? Is his proxy setting configured correctly? Is his ip in the 10.100.30.0/255.255.255.0 network? I still think your acl's aren't right, you deny localhost then allow *after*? Check the wiki, or pull an rpm/src down and start with a default config and start modifying from there. jlc
RE: [squid-users] Squid 3.0 and Active Directory
>I have 3 users for my test: > >Admin (who is member of InternetAccess) >User1 (who is a domain account but not member of InternetAccess) >User2 (who is a local account of my pc-client) /snip >The problem appear with user1 who is supposed to don’t have an access to >internet, but after logon on windows he can go through. /snip >acl xptest src 10.100.30.0/255.255.255.0 /snip >http_access allow xptest Who's xptest? You allowed that whole subnet through? I am not an expert, but I do it like this: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=DOMAIN\\GROUP auth_param ntlm children 5 acl ntlm proxy_auth REQUIRED acl our_networks src 192.168.0.0/24 192.168.2.0/24 http_access allow ntlm our_networks http_access deny all HTH, jlc
RE: [squid-users] Latest greatest Active Directory Auth solution?
>Thanks Joseph, I found the AD group can not be a domain local group. >Set to global it works but that's only good if you only have one >domain. Set to universal it will enumerate users in trusted domains. I >have a user in a trusted domain belonging to a global group in that >domain called internet. The global group internet in that domain is a >member of the local domain's universal group inetfullaccess. I told >ntlm_auth to require membership of the local domains inetfullaccess >group. > >So the ldap_auth ldap_group method is not single signon capable? Hrm, I am not sure what happens here, I have seen nested groups break lots more than just squid? I haven’t used LDAP in squid, but I can't see how it could possibly do SSO? LDAP does not know anything about a password hash (that a user would have after logging in to the domain). That’s why I use an ntlm method, users open their browser and it passes the credentials along to be checked versus an LDAP method which will prompt for auth, then check it by either binding anonymously or with a service account/prompted users creds for whether or not the user exists and has perms. jlc
RE: [squid-users] Latest greatest Active Directory Auth solution?
>Thank you for your howto. Because of your howto I've had a test system >logging access by DOMAIN\Username for a while now. After through >review I can't see where the --require-membership-of switch is added. You add the switch to the ntlm_auth command: $ /usr/bin/ntlm_auth --help So mine looks like this: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=AD_DOMAIN\\AD_GROUP >I still wonder if someone is keeping track of the various AD Auth >mechanisms and stating out loud which is the most elegant. Well "most elegant" is a matter of perspective, just like our different requirements. >ntlm_auth requires Kerberos and Samba and domain membership. I don't >like this on a firewall box. > >Best I can tell ldap_auth and ldap_group don't require either of >these. Am I wrong? Yeah, I wouldn't want that there either. I haven’t used the ldap_auth but if it can bind with the user/pass asking for access it would be golden in your scenario, otherwise you need anonymous binding or a service account, both of which aren’t secure. That also won't be seamless, you'll always need to login. the ntlm_auth is seamless, so I achieve SSO for all my browsers here. jlc Ps. Reply to all, or rewrite the recipient to the list email ;)
RE: [squid-users] Latest greatest Active Directory Auth solution?
>Is someone keeping track of all the Active Directory Authentication >solutions available in the Squid distribution? >In /usr/lib/squid3 I have all these and no idea which is the latest best. >pam_auth >smb_auth >smb_auth.sh >smb_auth.pl >ntlm_auth >msnt_auth >squid_ldap_auth >squid_ldap_group >wbinfo_group.pl The wiki's http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM works perfect for me. In fact, it’s the only perfect working implantation of SSO I have yet to ever make work :) I extended the how-to with a switch, --require-membership-of=AD_DOMAIN\\AD_GROUP and allow auth for only certain users this way. jlc
RE: [squid-users] SquidGuard Replacement
>I wasn't able to access the systems with the SG-config today. >So let's solve your problem with SG tomorrow instead of hunting for >a "suboptimal" solution. >Did you try to post your prob to Shalla / Christine Kronberg ? >She is usually a great help. Philipp, It turned out to be the in-addr that was breaking it. I don't know if it was at all related, but I thought to try without it after seeing this without sg: 1231366747.608749 192.168.0.44 TCP_MISS/200 2562 GET http://ad.yieldmanager.com/st? - DIRECT/76.13.212.11 text/html Versus this with sg: 1231366679.400 48 192.168.0.44 TCP_MISS/403 2585 GET http://ad.yieldmanager.com/st? - DIRECT/192.168.0.11 text/html in the squid logs. I don't know if you can log in-addr blocks, but that's why I wasn't seeing anything related to it. After dropping the !, it worked. I would love to know if the above is related, or if not what it's about? Thanks everyone! jlc
RE: [squid-users] SquidGuard Replacement
>Joseph, >I wasn't able to access the systems with the SG-config today. >So let's solve your problem with SG tomorrow instead of hunting for >a "suboptimal" solution. >Did you try to post your prob to Shalla / Christine Kronberg ? >She is usually a great help. Philipp, I did post just now, for some reason my mail takes ages to get on the list. I have been doing some testing and see no difference between Squid3STABLE9|Squid2.6STABLE5 and SquidGuard 1.3|1.4 so it's obviously a config issue of some sorts. My acl which I omitted from sg is as follows: acl { std-clients { passwhite local !in-addr !adv !aggressive automobile_bikes automobile_boats automobile_cars automobile_planes !chat !dating !downloads !drugs !dynamic finance_banking finance_insurance finance_moneylending finance_other finance_realestate !forum !gamble !hacking hobby_cooking hobby_games hobby_gardening hobby_pets hospitals !imagehosting isp jobsearch military !models !podcasts politics !porn recreation_humor recreation_sports recreation_travel recreation_wellness !redirector !religion !remotecontrol !ringtones science_astronomy science_chemistry searchengines !Sex_lingerie shopping !socialnet !spyware !tracker updatesites !violence !warez !weapons !webmail !webphone !webradio !webtv any redirect http://localhost:88/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u } default { passlocal none redirect http://localhost:88/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t+url=%u } } Thanks for everything! jlc
RE: [squid-users] SquidGuard Replacement
>I switched to ufdbguard and have been real pleased with it's performance >and support. Thomas, Do I understand this right, the software is free but the db is not? Can one use shalla lists with this software? Thanks! jlc
RE: [squid-users] Re" Defining BL's via acls
>I think it's pretty clear he meant using the files downloaded from shalla on >his server. I know of no system that queries "remote files". BLs mean DNS >based lookups, which shalla does not have. Yeah, that's exactly what I meant. I don't think over the fastest pipe one could remotely access these lists, they are several megs! I have scraped this idea any way... jlc
RE: [squid-users] Defining BL's via acls
>Depends on your chosen ACL type and the number of patterns. >Many regex may be slower than DG, many dstdomain or dst may improve >response time. It looks like the lists are far too large for any regex type acls but the acl dstdomain "file" is causing me issues with the way the shalla lists are formatted, some urls are complete and some aren't and the incomplete sites do not have begin with a "." so they aren't matched, any way around this? I don't know why squidgaurd is broken in all three of my setups, maybe an issue with the rpmforge package? No one has a 1.4 rpm and I won't compile on these production systems :( Later this week, I will try to fire up a vm with CentOS and test it out. Thanks! jlc
[squid-users] Defining BL's via acls
What kind of performance issues should I expect if I remove squidGuard and simply make a series of acl's pointing to shalla bl files directly then denying them with http_access deny statements? Given the size of the shalla lists, what would any seasoned squid admins expect as a scalability threshold on this approach? Thanks! jlc
RE: [squid-users] SquidGuard Replacement
>I'm using Squid3STABLE9 and SquidGuard 1.3 on three openSUSE10.3 boxes >and tested the URL you gave us above >without hanving any problems to access the TechNet site. So this must be >something with your specific setup. >What's the version of SG are you using ? Maybe you can post your problem >to http://www.squidguard.org/mailinglist.html Philipp, I am using Squid3STABLE9 and SquidGuard 1.3-1.el5.rf on a couple of CentOS 5 boxes? My SquidGuard has only a local net defined with an acl blocking many shalla lists. My squid.conf is as follows: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all icp_access allow localnet icp_access deny all htcp_access allow localnet htcp_access deny all http_port 3128 hierarchy_stoplist cgi-bin ? access_log /var/log/squid/access.log squid url_rewrite_program /usr/bin/squidGuard refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 coredump_dir /var/spool/squid Both of my servers are independent with identical configs and exhibit the same behavior, how does your config compare? Thanks! jlc
[squid-users] SquidGuard Replacement
When logging in to MS Technet, I get this: ERROR The requested URL could not be retrieved The following error was encountered while trying to retrieve the URL: http:443 Unable to determine IP address from host name The DNS server returned: Name Error: The domain name does not exist.This means that the cache was not able to resolve the hostname presented in the URL. Check if the address is correct. Your cache administrator is root. Generated Tue, 06 Jan 2009 19:12:01 GMT by dev.activenetwerx.int (squid/3.0.STABLE9) What does http:443 mean? This is only a problem when squidGuard is enabled? The url that it tanked on is: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1231267843&rver=5.5.4177.0&wp=MCMBI&wlcxt=technet%24technet%24technet&wreply=https%3a%2f%2ftechnet.microsoft.com%2fen-ca%2fsubscriptions%2fmanage%2fbb980931.aspx&lc=1033&id=254354&cru=http%3a%2f%2ftechnet.microsoft.com%2fen-ca%2fsubscriptions%2fdefault.aspx Why would it work without squidGuard? I am seeming to have a lot of problems with squidGuard, anyone got a reco on a replacement? Thanks! jlc
[squid-users] Configuration Change
When editing squid.conf is not sufficient to restart the squid service to enact changes, or does one need to execute squid -k reconfigure always as well? Thanks! jlc
RE: [squid-users] Handling websites that switch between http & https
>Amos, >Still no luck, if it matters I am on the upstream packaged 2.6 stable 5 >from RH. If I moved that up to a more recent version do you think this >issue might be handled better? Before I even started this thread, I had removed the url_rewrite_program reference to squidguard as I assumed that was the issue and it never made a difference but I must have done something wrong as I just double checked that testing squid-3.0.STABLE9-1.el5 versus squid-2.6.STABLE5-1.el5 and it is absolutely working when squidguard is disabled. So sorry for the noise guys... jlc
RE: [squid-users] Handling websites that switch between http & https
>You've just reminded me of the hotmail problems... > >Joseph: > see if it disappears when you turn "balance_on_multiple_ip off". It >still defaults to on in most Squid installs. Amos, Still no luck, if it matters I am on the upstream packaged 2.6 stable 5 from RH. If I moved that up to a more recent version do you think this issue might be handled better? Thanks for all the help guys! jlc
RE: [squid-users] Handling websites that switch between http & https
>You've just reminded me of the hotmail problems... > >Joseph: > see if it disappears when you turn "balance_on_multiple_ip off". It >still defaults to on in most Squid installs. Amos, I am on holidays w/o access to this system atm, but wouldn't this only matter if their was more than one public IP on the squid server? This server is multihomed w/ one internal and one external nic w/ only 1 public IP. I could walk someone onsite through this change if it still would make a difference. Thanks everyone! jlc
RE: [squid-users] Handling websites that switch between http & https
>Define 'connection'. I suspect what you think of as a connection is not >related to HTTP connections. Amos, Appreciate your help here, why I theorize connection was because what happens when an SSL session is started versus a simple HTTP session. This is all related to our users getting yahoo mail, the session toggles back and forth and I suspect that is what is causing them to be logged out of the mail interface when attempting to dl an attachment. I was thinking that had something to do with the proxy handling the http versus the proxy passing through http. Could I possibly tell squid to always do something with .yahoo.com such that a session whether it be http or https from a server connection point of view be the same? Thanks! jlc
[squid-users] Handling websites that switch between http & https
How does one deal with this scenario? It seems that when we encounter websites that toggle between http/s the connection is broken. I can see why this logically happens, but I am unable to work a solution for it? Anyone have experience with a scenario such as this? Thanks! jlc
[squid-users] Accessing attatchments in yahoo mail
I had a transparent squid proxy setup and was having issues where yahoo attachments after scanning and enabling the interface to download them would logout a user when clicking the link. Thinking this had something to do with the switching back and forth from http/https and being transparent, I setup the clients with a proxy and removed the redirect firewall rule and set squid to not be transparent. The problem still exists though and searching the net shows others with the same issues but I haven't found a solution yet. Thanks! jlc
RE: [squid-users] SSL EDI Site issues
>Add this before the line that requires auth: > >acl covisint dstdomain messaging.covisint.com >http_access allow CONNECT localnet covisint > >Assuming that you have the localnet (local network ranges) and CONNECT >acls defined already. Much appreciated Amos, this worked perfectly! jlc
[squid-users] SSL EDI Site issues
I am running squid-2.6.STABLE6-5.el5_1.3 on CentOS 5 with ntlm auth and all our mail and banking ssl sites are functioning except one site, messaging.covisint.com:443 that we do EDI with. I am getting: 192.168.0.146 TCP_DENIED/407 1859 CONNECT messaging.covisint.com:443 - NONE/- text/html in the access.log. I am reading http://squid.sourceforge.net/ntlm/client_proxy_protocol.html and I assume this is more to do with how the client application was coded, possibly it is not smart enough to retry enough times? Is there something from within Squid I can do rather than bypass the site in ie's proxy settings (which allow this application to function) as client side direct access to the net will soon be removed? maybe a rule for access to this url to not require auth and go straight to it? Thanks, jlc