Chris Robertson wrote:
Phibee Network Operation Center wrote:
Hi
i have a new problems with my Squid Server (NTLM AD)
My configuration:
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 15
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
#external_acl_type AD_Group children=50 concurrency=50 %LOGIN
/usr/lib/squid/wbinfo_group.pl
external_acl_type AD_Group children=50 concurrency=50 ttl=1800
negative_ttl=900 %LOGIN /usr/lib/squid/wbinfo_group.pl
cache_peer 127.0.0.1 parent 8081 0 proxy-only no-query
weight=100 connect-timeout=5 login=*:password
## ACL des droits d'accès
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl Lan src 10.0.0.0/8 # RFC1918 possible internal network
acl Lan src 172.16.0.0/12 # RFC1918 possible internal network
acl Lan src 192.168.0.0/16 # RFC1918 possible internal network
######################################################################
## ACL pour les sites web consultable sans authentification
######################################################################
acl URL_Authorises dstdomain "/etc/squid-ntlm/allowedURL"
http_access allow URL_Authorises
Are you sure you don't want to add additional restrictions to the
http_access allow (such as a limitation on the source IP, or something)?
######################################################################
acl SSL_ports port 443 563 10000 1494 2598
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
######################################################################
# ACL pour definir les groupes AD autorisés a ce connecter
######################################################################
acl AllowedADUsers external AD_Group "/etc/squid-ntlm/allowedntgroups"
acl Winbind proxy_auth REQUIRED
######################################################################
######################################################################
# ACL pour les Droits d'accès d'apres l'Active Directory
######################################################################
# Droits d'accès d'apres l'Active Directory
http_access allow AllowedADUsers
http_access deny !AllowedADUsers
http_access deny !Winbind
These two deny lines are redundant, as everything is denied by the next
line...
Almost, but not quite.
Since he is using "allow AllowedADUsers" there will be no forced login.
The two denials are required to kick that 407 back at the visitor
instead of 403.
######################################################################
http_access deny all
######################################################################
# Parametre Systeme
######################################################################
http_port 8080
hierarchy_stoplist cgi-bin ?
cache_mem 16 MB
#cache_dir ufs /var/spool/squid-ntlm 5000 16 256
cache_dir null /dev/null
#logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A
%mt
#logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un
%Sh/%<A %mt [%>h] [%<h]
#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid-ntlm/access.log squid
cache_log /var/log/squid-ntlm/cache.log
cache_store_log /var/log/squid-ntlm/store.log
# emulate_httpd_log off
mime_table /etc/squid-ntlm/mime.conf
pid_filename /var/run/squid-ntlm.pid
# debug_options ALL,1
log_fqdn off
ftp_user pr...@gw.phibee.net
ftp_passive on
ftp_sanitycheck on
ftp_telnet_protocol on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
error_directory /usr/share/squid/errors/French
icp_access allow Lan
icp_access deny all
htcp_access allow Lan
htcp_access deny all
Into my allowedURL, i have:
pagesjaunes.fr
estat.com
societe.com
quidonc.fr
when i want access to www.pagejaunes.fr, he request a authentification
... i want no authentification
and no limitation of surf.
Anyone see where is my error ?
the correct synthaxe are "pagesjaunes.fr" or ".pagesjaunes.fr" for
*.pagesjaunes.fr ?
The second option ".pagesjaunes.fr" will match http://pagesjaunes.fr,
http://www.pagesjaunes.fr and any other hostname in front of
pagesjaunes.fr.
Correct.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
Current Beta Squid 3.1.0.7
