Steffan,
I use Squid and NTLM passthrough auth. The credentials used during login
are automatically passed to Squid to allow/block user access to this or
that ACL. It works just fine. The only problem I had is that I hat to
manually insert users on Squid lists (on the "domain\username" format).
I had to that because I don´t like Winbind - during the Active Directory
replication intervals, user information obtained with winbind - such as
group membership, account status and other important stuff - may not be
the up to date. I solved that building a script that uses openldap
clients to import the list of users allowed to access the Internet from
the Active Diretory Domain Controller - if the user is in this OU,
he/she has access; if he/she´s not, he doesn´t have.
The configuration is quite simple:
=============== squid.conf ===============
# "DOMAIN" is your AD domain ; "server1" and "server2" are the Netbios
names
# of your domain controllers (you can specify more servers, if you want)
auth_param ntlm program /usr/lib/squid/ntlm_auth DOMAIN/server1
DOMAIN/server2
auth_param ntlm children 40
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off
# Making the authentication a requirement
acl password proxy_auth REQUIRED
# Example of user ACLs
acl common_users proxy_auth "/etc/squid/lists/common_users.auth"
acl vip_users proxy_auth "/etc/squid/lists/vip_users.auth"
# Blocked keyworks in URLs (Regular Expressions)
acl trash url_regex -i "/etc/squid/lists/trash.url"
# Webmail sites
acl webmail url_regex -i "/etc/squid/lists/webmail.url"
# Blocked file extensions - for everyone´s safety
acl bad_extensions url_regex -i "/etc/squid/lists/bad_extensions.url"
# ---- http_access rules -----
# Blocking unsafe files for everyone
http_access deny bad_extensions all
# Allowing vip users to access everything
http_access allow vip_users all
# Disallowing common users to access "trash" and "webmail"
http_access deny common_users trash
http_access deny common_users webmail
# Allowing common users to access other sites
http_access allow common_users password
# Denying everything to everyone
http_access deny all
=============================================
========== Sample "common_users.auth" file ===========
# Everyone that have access to the Internet
mydomain\leeoswald
mydomain\pmacartney
mydomain\fmulder
mydomain\peppin
mydomain\fbaggins
mydomain\joliva
=============================================
========== Sample "common_users.auth" file ===========
mydomain\sauron # The President/CEO
mydomain\nazgul # Mr. Sauron´s secretary (almost doesn´t work, but
complains a lot)
mydomain\cmanson # HR Manager - Better not to bother him :)
=============================================
========== Sample "webmail.url" file ===========
# List of regular expressions that mean that user is
# trying to access some webmail service
webmail
^http\://mail\.yahoo
hotmail
zipmail
myrealbox
.*/(web)?mail
# Insert your own expressions
=============================================
========== Sample "trash.url" file ===========
# List of regular expressions that mean that user is
# trying to access some blocked websites
porn
xxx
pornography
chat
orkut
mp3
=============================================
========== Sample "bad_extensions.url" file ===========
# List of regular expressions that mean that user is
# trying to access some blocked files
.*\.exe$($|\?)
.*\.bat($|\?)
# Or, making it more simple:
.*\.(exe|bat|com|scr|cmd|pif|reg|vbs)($|\?)
=============================================
Hope it helps!
Regards,
Luis Talora
Steffan Corley escreveu:
I understand from Henrik Nordstrom's message on 1st September 2006
that Squid 2.6 supports NTLM passthrough.
I need to implement a Squid cache in front of an upstream proxy
running ISA server (which is at the enterprise level). The ISA server
authenticates using NTLM and then uses WebSense to filter web
results. Crucially, while one user may be filtered for a particular
site, another user may have access to that site.
Unfortuately, I have no control over the ISA server set up and no way
to bypass it.
Is this possible? I see two possible problems:
1. Is NTLM passthrough actually implemented? I can find nothing in
the Squid documentation. Does it do what I would need for this to
actually work (i.e. maintain a 1-1 mapping between client connections
and connections to the upstream proxy)?
2. Will the cached pages get served to different users without
checking whether the upstream ISA server would have blocked them for
this user? I.e. if user A visits www.dodgy.com and is not blocked by
ISA server, will www.dodgy.com be served from the cache to user B
regardless of whether the ISA server would have blocked them or not.
Thanks for any help.
Steffan
