[squid-users] carole lerouge

2010-03-20 Thread nairb rotsak 
http://unicontac.com/david.html

Re: [squid-users] Terminal Server Users

2009-08-13 Thread nairb rotsak 
I have a client that uses a TS farm as well.  If they are using AD and 
everything is working, you can:

1.  Create an AD group called limited-Inet
2.  Put the users you want to be restricted in that group
3.  Add this to your squid.conf

acl our_networks src 192.168.0.0/16
acl NTLMUsers proxy_auth REQUIRED
 other rules and policies
acl ce external ntgroup squid-ce
acl ce_com dstdomain .realinfo.net .icccampus.org .iccsafe.org .realinfo2000.com
http_access allow ce ce_com
http_access deny ce

The users in the AD group squid-ce are allowed to go to the domains listed... 
denied to everything else.  That second to last line...
http_access allow ce ce_com
is an AND statement.  users in the 'ce' group (from the squid-ce AD group) 
AND in the ce_com list are allowed through.  If you have someone in the ce 
group, but trying to go to a different domain than listed, it will fail.


**  We also have a group that gets NO internet... we put users in this group 
and add this at the very beginning (after  the REQUIRED statement)
external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
acl NOINTERNET external ntgroup no-internet



Works great for us.. good luck!




- Original Message 
From: Amos Jeffries 
To: 9 denis <9de...@gmail.com>
Cc: squid-users@squid-cache.org
Sent: Thursday, August 13, 2009 9:00:18 AM
Subject: Re: [squid-users] Terminal Server Users

9 denis wrote:
> Hi,
> 
> I am pretty new to Squid.  I am using Webmin to configure Squid.
> 
> We have Microsoft Windows 2003 Terminal Server on which 50 users login
> with their Active Directory ID.  I have configured Proxy settings for
> all the users using Internet.
> Now, we want to block certain websites for only some of the users, how
> can I do it?
> 
> Thanks in Advance.
> 
> Regards,
> Denis

http://wiki.squid-cache.org/SquidFaq

Amos
-- Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13

Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY

2008-11-01 Thread nairb rotsak 
If there is anything else I can post, please let me know.. I never even knew 
this was an issue..  The one client I started with a couple of years ago loves 
it, but they never would have let me go forward if some people had to log in 
and other didn't (half the users are on a TS farm.. and they all get IE).. so I 
can see how this would be an issue.



- Original Message 
From: Chris Nighswonger <[EMAIL PROTECTED]>
To: Amos Jeffries <[EMAIL PROTECTED]>
Cc: nairb rotsak <[EMAIL PROTECTED]>; matlor <[EMAIL PROTECTED]>; 
squid-users@squid-cache.org
Sent: Saturday, November 1, 2008 4:47:24 PM
Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY

On Sat, Nov 1, 2008 at 12:37 AM, Amos Jeffries <[EMAIL PROTECTED]> wrote:
> Um, I'm not so sure the people having trouble are using the right helper.
>
> There is a thing calling itself 'ntlm_auth' bundled with squid 3.0 and
> Squid-2 releases that is incapable of doing full NTLM for modern windows
> domains.
>
> There is also something calling itself 'ntlm_auth' bundled with Samba, which
> provides full working NTLM functionality.
>
> We have fixed this mixup in 3.1, but please check the helper you are using.
> Please prefer to use the one by Samba.

We're using the Samba flavor. To be exact

[EMAIL PROTECTED] ~]# /usr/bin/ntlm_auth -V
Version 3.0.23c-2

>
> IE7 is more advanced than the ealier IE and seems to be actually capable of
> proper negotiate auth. But can be expected fail with the limits imposed by
> Squid's 'ntlm_auth' thing.

The issues we are having are with FF (see Mozilla bug referenced
earlier in this thread). IE7 works fine on computers which are domain
members.

I'd still love to know what Nairb's config has that makes it work.

Regards,
Chris

>> - Original Message 
>> From: matlor <[EMAIL PROTECTED]>
>> To: squid-users@squid-cache.org
>> Sent: Thursday, October 30, 2008 9:15:55 AM
>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>>
>>
>> I have tried your configuration... but I have the same problem.
>> squid version is 3.0.5
>>
>> in attachment there is one of my tested squid.conf.
>> only IE7 is working properly
>>
>> thanks in advance
>>
>>
>>
>>
>> nairb rotsak wrote:
>>>
>>> Always forget to hit the 'reply to all' instead of the 'reply'.. sorry..
>>> below is what I sent Chris:
>>>
>>> Below is for w2k3 AD and Ubuntu 6.06.1:
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15
>>> auth_param ntlm max_challenge_reuses 0
>>> auth_param ntlm max_challenge_lifetime 2 minutes
>>> #auth_param ntlm use_ntlm_negotiate off
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic
>>> auth_param basic children 5
>>> auth_param basic realm Squid proxy-caching web server
>>> auth_param basic credentialsttl 2 hours
>>> auth_param basic casesensitive off
>>> acl NTLMUsers proxy_auth REQUIRED
>>> acl our_networks src 192.168.0.0/16
>>> http_access allow all NTLMUsers
>>> http_access allow our_networks
>>>
>>> Here is our current setup (w2k8 and Ubuntu 8.04.1):
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15
>>> auth_param ntlm keep_alive on
>>> acl our_networks src 192.168.0.0/16
>>> acl NTLMUsers proxy_auth REQUIRED
>>> external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
>>> acl NOINTERNET external ntgroup no-internet
>>> http_access deny NOINTERNET
>>> http_access allow all NTLMUsers
>>> http_access allow our_networks
>>> http_access allow localhost
>>>
>>>
>>> We
>>> have a group policy do the IE browser, but with Firefox, we have to set
>>> it manually.  Once it is set, there is no prompt... I use SARG to get
>>> the results.. Been doing it for almost three years.. I would get
>>> evangelical on people using iPrism/Barracuda/Websense.. but now I
>>> figure I will just let them spend the money.. ;-)
>>>
>>>
>>> - Original Message 
>>> From: Chris Nighswonger <[EMAIL PROTECTED]>
>>> To: nairb rotsak <[EMAIL PROTECTED]>
>>> Cc: matlor <[EMAIL PROTECTED]>; squid-users@squid-cache.org
>>> Sent: Wednesday, October 29, 2008 9:31:32 AM
>>> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DI

Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY

2008-10-30 Thread nairb rotsak 
I am actually flabbergasted at all the people saying this doesn't work.  I 
haven't tried Squid 3 yet.. so I can't comment on it.  The squid that comes 
with Ubuntu (6.06) is squid 2.5 (I think) the one with 8.04 is squid 2.6 
(again, just going from what I remember.. I am not at that client today).  I 
never compiled anything (just apt-get install squid).. and I never set anything 
in FF about:config (although I would like to try that one)

When I am at this client on my linux desktop, I have to put my credentials into 
FF, but when I am on a pc that is joined to the domain, I just open FF and go 
about my business.  As a matter of fact, I block a bunch of extensions.. and 
sometimes I would forget I was going through it, until I tried to download 
something.  I would go into firefox, change the proxy setting, get the file, 
then put the proxy setting back.  THEN I would have to authenticate.. unless I 
shut the browser down after changing the proxy back.

I am by no means an expert, but I have set 10 or so customers up the exact same 
way over the last 2 or 3 years..  I know it is catching them, because it blocks 
files and I use SARG to report their activities.. 

But now I am spooked (I just moved this customer into a new building.. and it 
is all W2k8 servers), so I am installing FF onto my new servers over there and 
pointing FF at our new proxy.  Just to make sure.. 



- Original Message 
From: matlor <[EMAIL PROTECTED]>
To: squid-users@squid-cache.org
Sent: Thursday, October 30, 2008 9:15:55 AM
Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY


I have tried your configuration... but I have the same problem.
squid version is 3.0.5

in attachment there is one of my tested squid.conf.
only IE7 is working properly

thanks in advance




nairb rotsak wrote:
> 
> Always forget to hit the 'reply to all' instead of the 'reply'.. sorry..
> below is what I sent Chris:
> 
> Below is for w2k3 AD and Ubuntu 6.06.1:
> 
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp 
> auth_param ntlm children 15
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> #auth_param ntlm use_ntlm_negotiate off
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> acl NTLMUsers proxy_auth REQUIRED
> acl our_networks src 192.168.0.0/16
> http_access allow all NTLMUsers
> http_access allow our_networks
> 
> Here is our current setup (w2k8 and Ubuntu 8.04.1):
> 
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp 
> auth_param ntlm children 15
> auth_param ntlm keep_alive on
> acl our_networks src 192.168.0.0/16
> acl NTLMUsers proxy_auth REQUIRED
> external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
> acl NOINTERNET external ntgroup no-internet
> http_access deny NOINTERNET
> http_access allow all NTLMUsers
> http_access allow our_networks
> http_access allow localhost
> 
> 
> We
> have a group policy do the IE browser, but with Firefox, we have to set
> it manually.  Once it is set, there is no prompt... I use SARG to get
> the results.. Been doing it for almost three years.. I would get
> evangelical on people using iPrism/Barracuda/Websense.. but now I
> figure I will just let them spend the money.. ;-)
> 
> 
> - Original Message 
> From: Chris Nighswonger <[EMAIL PROTECTED]>
> To: nairb rotsak <[EMAIL PROTECTED]>
> Cc: matlor <[EMAIL PROTECTED]>; squid-users@squid-cache.org
> Sent: Wednesday, October 29, 2008 9:31:32 AM
> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
> 
> On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <[EMAIL PROTECTED]> wrote:
>> I am totally confused by this statement?.. as I have 300 people using
>> firefox right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single
>> one gets a user/pass prompt?  I am not using it as a transparent proxy,
>> it is listed in firefox under proxy settings (8080 because it goes to DG
>> first.. but I have tested just Squid at 3128 and it works as well).. and
>> I haven't touched anything else in firefox
> 
> 
> I'd be very interested in knowing what is different about your setup.
> I have fought this problem for several years now.
> 
> 
>>
>>
>>
>> - Original Message 
>> From: Chris Nighswonger <[EMAIL PROTECTED]>
>> To: matlor <[EMAIL PROTECTED]>
>> Cc: squid-users@squid-cache.org
>> Sent: Wednesday, October 29, 2008 8:48:39 AM
>> Subject: Re: [squid-user

Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY

2008-10-29 Thread nairb rotsak 
Always forget to hit the 'reply to all' instead of the 'reply'.. sorry.. below 
is what I sent Chris:

Below is for w2k3 AD and Ubuntu 6.06.1:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
auth_param ntlm children 15
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl NTLMUsers proxy_auth REQUIRED
acl our_networks src 192.168.0.0/16
http_access allow all NTLMUsers
http_access allow our_networks

Here is our current setup (w2k8 and Ubuntu 8.04.1):

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
auth_param ntlm children 15
auth_param ntlm keep_alive on
acl our_networks src 192.168.0.0/16
acl NTLMUsers proxy_auth REQUIRED
external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo_group.pl
acl NOINTERNET external ntgroup no-internet
http_access deny NOINTERNET
http_access allow all NTLMUsers
http_access allow our_networks
http_access allow localhost


We
have a group policy do the IE browser, but with Firefox, we have to set
it manually.  Once it is set, there is no prompt... I use SARG to get
the results.. Been doing it for almost three years.. I would get
evangelical on people using iPrism/Barracuda/Websense.. but now I
figure I will just let them spend the money.. ;-)


- Original Message 
From: Chris Nighswonger <[EMAIL PROTECTED]>
To: nairb rotsak <[EMAIL PROTECTED]>
Cc: matlor <[EMAIL PROTECTED]>; squid-users@squid-cache.org
Sent: Wednesday, October 29, 2008 9:31:32 AM
Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY

On Wed, Oct 29, 2008 at 10:23 AM, nairb rotsak <[EMAIL PROTECTED]> wrote:
> I am totally confused by this statement?.. as I have 300 people using firefox 
> right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a 
> user/pass prompt?  I am not using it as a transparent proxy, it is listed in 
> firefox under proxy settings (8080 because it goes to DG first.. but I have 
> tested just Squid at 3128 and it works as well).. and I haven't touched 
> anything else in firefox


I'd be very interested in knowing what is different about your setup.
I have fought this problem for several years now.


>
>
>
> - Original Message 
> From: Chris Nighswonger <[EMAIL PROTECTED]>
> To: matlor <[EMAIL PROTECTED]>
> Cc: squid-users@squid-cache.org
> Sent: Wednesday, October 29, 2008 8:48:39 AM
> Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY
>
> On Tue, Oct 28, 2008 at 6:18 AM, matlor <[EMAIL PROTECTED]> wrote:
>>
>> I have configured squid with winbind integrated in the active directory of a
>> windows 2003 domain.
>> If I browse internet trough IE 7 everething is ok, no user and password
>> prompted, because of the common login. While, if I open Firefox (2 or 3
>> version), it prompts for user and password.
>
> One other note: While FF does support NTLM, it does not do transparent
> auth as IE does. Hence the prompting for username/password.
> Furthermore, due to M$ having a broken implementation of NTLM, FF will
> at times repeatedly prompt ad infinitum. There is an open bug on this
> at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
> action on it is understandably slow. You can mess with FF's NTLM
> related settings under 'about:config' to gain some respite. You can
> also run a basic auth that authenticates against NTLM which for some
> reason seems to avoid the multi-prompt issue. Something like:
>
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 2
> auth_param basic realm somerealm
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> Regards,
> Chris
>
>
>
>
>

Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY

2008-10-29 Thread nairb rotsak 
I am totally confused by this statement?.. as I have 300 people using firefox 
right now.. using Ubuntu 6.06, Samba3, Squid2.. and not a single one gets a 
user/pass prompt?  I am not using it as a transparent proxy, it is listed in 
firefox under proxy settings (8080 because it goes to DG first.. but I have 
tested just Squid at 3128 and it works as well).. and I haven't touched 
anything else in firefox.



- Original Message 
From: Chris Nighswonger <[EMAIL PROTECTED]>
To: matlor <[EMAIL PROTECTED]>
Cc: squid-users@squid-cache.org
Sent: Wednesday, October 29, 2008 8:48:39 AM
Subject: Re: [squid-users] SQUID + FIREFOX + ACTIVE DIRECTORY

On Tue, Oct 28, 2008 at 6:18 AM, matlor <[EMAIL PROTECTED]> wrote:
>
> I have configured squid with winbind integrated in the active directory of a
> windows 2003 domain.
> If I browse internet trough IE 7 everething is ok, no user and password
> prompted, because of the common login. While, if I open Firefox (2 or 3
> version), it prompts for user and password.

One other note: While FF does support NTLM, it does not do transparent
auth as IE does. Hence the prompting for username/password.
Furthermore, due to M$ having a broken implementation of NTLM, FF will
at times repeatedly prompt ad infinitum. There is an open bug on this
at Mozilla, (https://bugzilla.mozilla.org/show_bug.cgi?id=318253) but
action on it is understandably slow. You can mess with FF's NTLM
related settings under 'about:config' to gain some respite. You can
also run a basic auth that authenticates against NTLM which for some
reason seems to avoid the multi-prompt issue. Something like:

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 2
auth_param basic realm somerealm
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

Regards,
Chris

Re: [squid-users] if this is posted somewhere.. please tell me where to go... AD groups

2008-08-24 Thread nairb rotsak 
Chris, this works great!  One note to anyone trying it... if you have 'winbind 
separator = \' in your smb.conf, this works.. but it does matter.  I banged my 
head on this for about 15 minutes and then change my auth-param line to read 
--require-membership-of="our_ad_domain+proxyusers_group".. because my winbind 
line is 'winbind separator = +'

Works great Chris, thanks again!



- Original Message 
From: chris brain <[EMAIL PROTECTED]>
To: squid-users@squid-cache.org
Sent: Thursday, August 21, 2008 10:26:15 PM
Subject: Re: [squid-users] if this is posted somewhere.. please tell me where 
to go... AD groups

Hi From my experience with NTLM and AD this is the best way we found to 
implement group membership :

ntlm_auth already has a mechanism to provide this its just that the doco is 
difficult to follow.

squid.conf :

auth_param basic program 
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic 
--require-membership-of="our_ad_domain\\proxyusers_group"

auth_param ntlm program 
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
--require-membership-of="our_ad_domain\\proxyusers_group"

where our_ad_domain = the AD domain
where proxyusers_group = the group of users allowed to access the proxy

We found that  \\ and " must be included for this top work correctly.

Thanks Chris 




West Australian Newspapers Group

 
Privacy and Confidentiality Notice

The information contained herein and any attachments are intended solely for 
the named recipients. It may contain privileged confidential information.  If 
you are not an intended recipient, please delete the message and any 
attachments then notify the sender. Any use or disclosure of the contents of 
either is unauthorised and may be unlawful. Any liability for viruses is 
excluded to the fullest extent permitted by law.

Advertising Terms & Conditions
Please refer to the current rate card for advertising terms and conditions.  
The rate card is available on request or via www.thewest.com.au

Unsubscribe
If you do not wish to receive emails such as this in future please reply to it 
with "unsubscribe" in the subject line.

Re: [squid-users] if this is posted somewhere.. please tell me where to go... AD groups

2008-08-21 Thread nairb rotsak 
Fantastic!  I will try this in the morning!  Thanks Chris!  This is exactly 
what I was looking for!



- Original Message 
From: chris brain <[EMAIL PROTECTED]>
To: squid-users@squid-cache.org
Sent: Thursday, August 21, 2008 10:26:15 PM
Subject: Re: [squid-users] if this is posted somewhere.. please tell me where 
to go... AD groups

Hi From my experience with NTLM and AD this is the best way we found to 
implement group membership :

ntlm_auth already has a mechanism to provide this its just that the doco is 
difficult to follow.

squid.conf :

auth_param basic program 
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic 
--require-membership-of="our_ad_domain\\proxyusers_group"

auth_param ntlm program 
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
--require-membership-of="our_ad_domain\\proxyusers_group"

where our_ad_domain = the AD domain
where proxyusers_group = the group of users allowed to access the proxy

We found that  \\ and " must be included for this top work correctly.

Thanks Chris 




West Australian Newspapers Group

 
Privacy and Confidentiality Notice

The information contained herein and any attachments are intended solely for 
the named recipients. It may contain privileged confidential information.  If 
you are not an intended recipient, please delete the message and any 
attachments then notify the sender. Any use or disclosure of the contents of 
either is unauthorised and may be unlawful. Any liability for viruses is 
excluded to the fullest extent permitted by law.

Advertising Terms & Conditions
Please refer to the current rate card for advertising terms and conditions.  
The rate card is available on request or via www.thewest.com.au

Unsubscribe
If you do not wish to receive emails such as this in future please reply to it 
with "unsubscribe" in the subject line.

Re: [squid-users] if this is posted somewhere.. please tell me where to go... AD groups

2008-08-21 Thread nairb rotsak 
Sorry Henrik, think I just sent this reply back to you.. not the whole group.. 

Great.. thanks,

Just to clarify, to use wbinfo_group.pl, I need to:
1.  Add Domain Local group to Active Directory called Internet-Allowed (name 
not important)
2.  Add 'external_acl_type ADS %LOGIN /usr/lib/squid/wbinfo_group.pl' to 
squid.conf
3.  Add 'aclInternet-Allowed external ADS Internet-Allowed' to squid.conf
4.  Add 'http_access allow Internet-Allowed all'

That is what I am able to piece together from Google.. 

Two
questions.  In doing this before for other clients, I have used
DansGuardian and used filter groups.  This customer doesn't want to
filter, they just want to allow or deny access.  I was pretty sure
Squid could do this and that is why I am trying to figure out the
wbinfo_group stuff.  In the past, I have messed up where to put the
acl's (in which order) and the http_access (again, in which order). 
Any advice on where these would go (or where they HAVE to go)?

Second
question.. does this mean anyone not in this group will not have
Internet.. or do I have to do a deny acl/http_access combo?

Thanks for clearing this up... 




- Original Message 
From: Henrik Nordstrom <[EMAIL PROTECTED]>
To: nairb rotsak <[EMAIL PROTECTED]>
Cc: squid-users@squid-cache.org
Sent: Wednesday, August 20, 2008 5:44:48 PM
Subject: Re: [squid-users] if this is posted somewhere.. please tell me where 
to go... AD groups

On ons, 2008-08-20 at 08:39 -0700, nairb rotsak wrote:
> The 2nd one is what I pretty much used to get this far... 
> 
> I just don't know how to tie it all together.. and I have looked at the 
> wbinfo_group.pl.. but not sure if I need to go that far??

far?

wbinfo_group.pl is the easiest way to get group lookups if you have
already done NTLM via Samba..

Regards
Henrik

[squid-users] if this is posted somewhere.. please tell me where to go... AD groups

2008-08-20 Thread nairb rotsak 
Hello all,

I have squid 2.5STABLE12 running on an Ubuntu 6.06 box.  I have it joined to an 
AD domain and it works great.  

I want to add a group in AD that allows Inet use.  If they aren't in that 
group, they can't get out.  I would like it to stay seamless.. no login box.  
This is not a transparent setup.

I have seen this:

http://wiki.squid-cache.org/ConfigExamples/SquidAndLDAP
and this:
http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM

The 2nd one is what I pretty much used to get this far... 

I just don't know how to tie it all together.. and I have looked at the 
wbinfo_group.pl.. but not sure if I need to go that far??

Again, if this is covered somewhere, sorry.. I have looked (obviously at the 
wiki.. but also on Google)

Thanks to all

Re: [squid-users] NTLM-transparent?

2008-06-29 Thread nairb rotsak 
Ok... now I am confused.  I haven't set it up in a test environment, but 
apparently I will have to.

Henrik, is it because I am using DG?  I just could swear I read somewhere that 
NTLM using a transparent proxy doesn't work?



- Original Message 
From: Nick Duda <[EMAIL PROTECTED]>
To: Henrik Nordstrom <[EMAIL PROTECTED]>; nairb rotsak <[EMAIL PROTECTED]>
Cc: "squid-users@squid-cache.org" 
Sent: Sunday, June 29, 2008 6:01:53 PM
Subject: RE: [squid-users] NTLM-transparent?

We do NTLM auth with squid setup transparently. We get all the names and IP's 
in the logs and it works great, no issues (Stable) in a 400 person call center 
that bangs away on an internal web application very heavily. We use SmartFilter 
and Squid to achieve this.

- Nick


From: Henrik Nordstrom [EMAIL PROTECTED]
Sent: Sunday, June 29, 2008 5:57 PM
To: nairb rotsak
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] NTLM-transparent?

On sön, 2008-06-29 at 08:48 -0700, nairb rotsak wrote:


> I am used to running Squid/Dansguardian/Samba with ntlm auth.  But I
> have always used it as a stand-alone proxy.. never at the gateway.  I
> do it this way because I was always told that the usernames will not
> show up in logs (ntlm's fault.. not Squid) when Squid is in
> transparent mode.

True..

> Is this still true?  How the heck does the iPrism do it? ;-)

They may have hacked Squid to allow NTLM WWW authentication (not proxy
authentication) in transparent interception mode. Highly unstandard, and
only works for the non-standard connection oriented auth schemes
(NTLM/Negotiate/Kerberos).

Another possibility is that they use an IP session cache, redirecting
the user to "the gateway webserver" for authentication if no already
established session, and link this to Squid via external_acl_type
providing the username of the session based on the client IP. Have done
this myself in another product (also squid based), and requires some
additional software to keep track of the sessions.

Regards
Henrik

[squid-users] NTLM-transparent?

2008-06-29 Thread nairb rotsak 
Hello all,

I am replacing a St. Bernard iPrism.  I know it runs squid (the client got 
tired of paying for it and once I told them it just runs squid anyway, they 
jumped at the chance for a little more control).

I am used to running Squid/Dansguardian/Samba with ntlm auth.  But I have 
always used it as a stand-alone proxy.. never at the gateway.  I do it this way 
because I was always told that the usernames will not show up in logs (ntlm's 
fault.. not Squid) when Squid is in transparent mode.

Is this still true?  How the heck does the iPrism do it? ;-)

Thanks to everyone for all the work on this project.  Every client I walk into 
has the same complaint and I quickly fix it with Squid and DG!

bk

[squid-users] no access.log

2008-03-31 Thread nairb rotsak 
Hello all,

I have a squid installation running on Ubuntu 7.04.  That version of squid is 
2.6.5.  I have ntlm-help and am using it with Dansguardian.  It all works, but 
when someone complained of being blocked by something they should not have, I 
naturally went to /var/log/squid/access.log.  Only to find out it wasn't 
there??  I can't find another squid access.log anywhere else on the box (I 
built it remotely, but the guy there says he didn't do anything).

I have recreated the access.log file with the same permissions and ownership as 
the rest of the files in the /var/log/squid directory.  Since the 'dpkg -L 
squid' doesn't show access.log as one of the files packaged with the package 
itself, I am assuming that squid creates this file itself.

Since this guy is trying to use SARG to get a record of where everyone is 
going.. this isn't going well.

Any clues on where to start to get this back.  I guess I can apt-get remove 
squid, purge it, then re-install.  But I wanted to see if anyone else had ever 
seen this.

thanks,

bk




  

Like movies? Here's a limited-time offer: Blockbuster Total Access for one 
month at no cost. 
http://tc.deals.yahoo.com/tc/blockbuster/text4.com

[squid-users] block on browser type?

2007-09-24 Thread nairb rotsak 
Hello all,

I searched and couldn't find a way to do this.  We are trying to block IE 7.  
We have citrix farms set up with IE 6, Squid and Dansguardian.  There are a few 
rogue people (think political here.. we can just lock down anything not coming 
from the Squid box) that believe they are fairly technical.  They hold 
positions which allow them to demand 'software installability'.  So they decide 
from time to time to upgrade to IE 7 and it is just a disaster.  But we would 
find out a lot sooner if they lost internet when they did it.

I have just started to use req_mime_type for applications.. so I thought there 
might be some specific way of getting this to recognize IE 7.

thanks,

ipguru99




  

Luggage? GPS? Comic books? 
Check out fitting gifts for grads at Yahoo! Search
http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz

[squid-users] yahoo and hotmail not going through squid after authenticate?

2006-12-06 Thread nairb rotsak 
Thanks to this group, we have our new server (not the test pc we have
been testing with) up and running with Squid/Samba/DG.  Proof to anyone
that after 100 times of building it, it can be done in an hour!  We
even have groups working with the dansguardianfX.conf files!  What a
great thing to hand someone a winterm and say, "Here.. oh and by the
way, you can get to these 7 sites and that is it."  I have read this
list the whole time and all of the advice is fantastic!

Our next
goal is to use our firewall to block all outbound port 80 traffic
except for our servers (and a couple other things).  This works great
in our test except for a couple of sites... Yahoo mail (as well as Hot
mail) being the biggest one.  I have sniffed the attempts, and it seems
that someone going through the squid to yahoo email goes through,
get authenticated to AD, but then they go out to the internet without
going through the squid/dg box?  It is pretty
obvious while capturing traffic on the laptop that after it goes through squid, 
it goes straight out to the internet... and the laptop I am testing on works 
just fine when we remove
the block on the firewall.  

To get around this, I have tried to
put in the squid acl's that the if a user is going to the yahoo domain, they 
don't need to be
authenticated.. but that doesn't seem to help.  I was going to use
rules on the firewall to allow anyone going to yahoo or hotmail, but
yahoo alone has most of the 68.142.x.x/22 and I haven't even started
getting the hotmail stuff together.  

I am going to post a similar question on the dg list, but I figured dg and 
squid go hand in hand for most people.

Thanks again to everyone for help in getting us this far!



 

Want to start your own business?
Learn how on Yahoo! Small Business.
http://smallbusiness.yahoo.com/r-index

[squid-users] yahoo mail, squid, ie, firefox and ntlm

2006-03-10 Thread nairb rotsak 
Finally figured this one out and wanted to share...

We block all outbound 80 traffic not coming from squid
(and the server vlan.. ok, and the admin vlan ;-)
when you type in mail.yahoo.com, you actually get
redirected to login.yahoo.akadns.net.  Going through
squid w/ntlm, this works just fine on firefox.  With
IE, it doesn't work.  We have to allow port 80 traffic
to akadns.net subnets on our pix.  I have ethereal
traces and they are actually different from firefox to
IE.  

We even have all yahoo.com and akadns.net as
dstdomains.. and before the http_access for the
NTLM... still doesn't work with IE.  The minute we
take the port 80 outbound block off our pix, it works
just fine.  




acl yahoo_mail dstdomain .yahoo.com


acl akadns_net dstdomain .akadns.net




acl NTLMUsers proxy_auth REQUIRED

acl our_networks src 192.168.0.0/16



http_access allow yahoo_mail

http_access allow akadns_net




http_access allow all NTLMUsers

http_access allow our_networks



http_access allow localhost



Just thought I would share our frustrations...

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com 

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

[squid-users] ntlm, firefox & IE

2006-03-08 Thread nairb rotsak 
Using AD to push a group policy forcing users to use
squid.  We had to put *.yahoo.com in the 'don't go to
the proxy' window because of all kinds of issues. 
Some other sites, too.  This worked for about a week. 
Now, IE users are starting to not be able to get to
mail.yahoo.com again??  

This might be an IE issue, but I figured this forum
would be a good place to start.

I can be on a client pc and go to mail.yahoo.com, with
IE, nothing shows up in access.log.  I wouldn't expect
it to be blank, because we have it as one of the sites
to not use the proxy.  It immediately goes to a 'page
cannot be found'.  I can open up firefox on same pc,
and it works just fine (with squid setup as proxy)???

IE works just fine when I don't have the pc pointing
at squid

I don't have any access.log to send, because it
doesn't hit the log... which to me means it isn't
squid... but the minute I take IE and don't point it
at squid, it works just fine?

I finally got ntlm working and these guys love this,
but it is stuff like this (that I can't explain), that
wears on the IT mgr.

Any help or suggestions appreciated.  We don't have to
log thses sites, cache it... anything.. we just want
them to pass right through...

Thanks!

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Re: [squid-users] no auth for one domain?

2006-02-24 Thread nairb rotsak 
We ended up using AD Group policy to not go through
the proxy for that site... not ideal, but just to make
sure I understand the other way to do it

You can put the http_access with the acl before the
http_access allow_ntlm and it should work?

--- Mark Elsen <[EMAIL PROTECTED]> wrote:

> > Is it possible to have my ntlm users go around 1
> > domain?  We can't seem to get a state web site
> (which
> > uses a weird front end to it's client... but it
> ends
> > up on the web) to go through the proxy.  When we
> sniff
> > the traffic locally, it is popping up a 407, but
> their
> > isn't anyway to log in.
> >
> > I tried to put an acl and http_access higher in
> the
> > list in the .conf, but that didn't seem to matter?
> >
> 
> It would have been more productive to show that 
> line, which you put
> for that domain in squid.conf, offhand & probably it
> should
> resemble something like this :
> 
> acl ntlm_go_around dstdomain name-excluded-domain
> ...
> 
> http_access allow ntlm_go_around
> http_access allow ntlm_users (provided proxy
> AUTH ACL is named 'ntlm_users')
> 
> M.
> 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

[squid-users] no auth for one domain?

2006-02-23 Thread nairb rotsak 
Is it possible to have my ntlm users go around 1
domain?  We can't seem to get a state web site (which
uses a weird front end to it's client... but it ends
up on the web) to go through the proxy.  When we sniff
the traffic locally, it is popping up a 407, but their
isn't anyway to log in. 

I tried to put an acl and http_access higher in the
list in the .conf, but that didn't seem to matter?

I got that idea because after reading the FAQ, it
sounded like that is how you do it?

Thanks!

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

[squid-users] certain port should go direct

2006-01-13 Thread nairb rotsak 
I have an issue where a certain app is talking on a
port that appaprently doesn't like squid (State of
Illinois app... so I won't say anything more about the
app ;-)

I have the following in my squid.conf.. but it doesn't
seem to work.  I have another one just like it.. and
it works fine??

Here is my conf:

acl leads2000 dstdomain il.us

always_direct allow leads2000

Here is the one that works already??

acl hud-login dstdomain hud.gov

always_direct allow hud-login

I can see in our firewall that the query is coming
from squid.. and here is what acces.log says:

1137203772.820129 127.0.0.1 TCP_MISS/200 8191 POST
http://leads2000.isp.state.il.us:3930/THSALOGI.HSA -
DIRECT/10.32.122.31 TEXT/HTML


??  Anything I am missing?

Thanks all...

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

[squid-users] 4th time a charm?

2005-12-05 Thread nairb rotsak 
I have followed this
 to a "T".  I can
authenticate just fine with samba stuff.. all getent
stuff.. all wbinfo stuff.  But I still get 407's in my
squid access.log (I am getting a prompt for
username/password).  No username and password combo
works.  Is there anywhere else I can check to see
where this is failing?



__ 
Start your day with Yahoo! - Make it your home page! 
http://www.yahoo.com/r/hs

[squid-users] ./ntlm-auth works, but not with helper protocol

2005-11-21 Thread nairb rotsak 
So I started over after making my customer happy with
squid and DG, but they want to log names (Terminal
Server environment).  I have setup all of the samba
stuff and it all works.  I have set up the
authentication part of squid and it doesn't.  If I
use:
 ./ntlm-auth --username=test1, it asks for a password
and it works.  When I use:
 ./ntlm-auth --helper-protocol=squid-2.5-basic
--username=test1, it just spits out ERR

I have done this several times and I am not getting
something??  I have all of the wbinfo -g, -u and -t
checked and working.  From the box I can log into
shares with smbclient.  From the w2k3 server I can log
in as administrator and then go to network
neighborhood, see the samba server and click on it and
get to the 'dropzone' share.. all without being
prompted for a password.  So I know samba and the w2k3
server are seeing eachother and communicating..??

Any ideas where I can start to see an error or
anything?

thanks,
bk




__ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

[squid-users] all wbinfo stuff works.. now I can't get --helper to work

2005-10-19 Thread nairb rotsak 
Hello,  

When I type this:
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp

per :
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#winbind

I am getting nothing, until I hit another key and it
says ERR each time I hit a key until I CTRL-C.

All of my wbinfo stuff works...

I know I am supposed to have my username and password
in there, but that doesn't seem to matter.  Just about
anything I put in there doesn't work.

Any log I can look at to find out what isn't working? 
I have made sure my winbind_privileged is right...

drwxr-x---  2 root proxy  4096 2005-09-28 11:40
winbindd_privileged

I think this is the last step for me getting DG and
Squid to give me user names!

Any help appreciated

thanks,
bk






__ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

[squid-users] squid and DG

2005-10-18 Thread nairb rotsak 
Ok, Squid is cacheing and DG is blocking... I have
seen a post or two about putting them on different
boxes so you can get 'per user' logging.  I have also
seen that having DG on the same Squid box causes squid
logs to only show loopback.

Am I missing something or is there a way around this?

Thanks!




__ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

[squid-users] citrix users behind squid

2005-09-15 Thread nairb rotsak 
I have looked in past posts and I think my question is
answered, but since we are dumping websense and going
with Squid (based on what we think we already know), I
wanted to be sure.  

We use websense now, but because 80% of our users are
citrix users, we have had to implement an isa server
that redirects requests from our firewall (pix) back
to the isa (for Integrated AD authenication).  This is
because an admin user would be logged into the
terminal of the citrix server, and that is the
credential that was getting passed to the websense
server = many suprised surfers!!

I have always heard great things about Squid, and
websense is just a huge pain and VERY expensive.  I am
just worried that we are going to have the same
problem.  But I think I read that Squid will use the
authentication from the browser's header, and not from
who is authenticated to the box or ip.

Anybody got any good examples of using Squid to
authenticate to AD (Samba has to be somewhere on the
network.. right.. can't just be all windows) and
REALLY do per user coming from a Citrix farm?

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com