Search squid archive

$20 in your PayPal account if you help me fix this

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

$20 in your PayPal account if you help me fix this, $5
if I feel that you made a contribution to the answer
but didn?t fix it (a la experts-exchange.com)

The goal: Set up Squid to only allow authenticated
users certain sites (all whitelists, no black lists
involved). 

The situation: I am attempting to get Squid up and
going, but am having issues with some sites that are
in *no* whitelist getting through. I am trying to get
it where nothing comes through except what I dictate
through whitelists per what GPO you are in.  

The setup: Squid 2.6.STABLE9 running on a Windows XP
Pro box, authenticating to a Windows 2000/2003 domain.
Before you start typing what a bad idea it is to do
this on Windows, save your breath, I know.
Unfortunately, I don't write the business rules, so
work with what you got (at least I am not trying to
use an ISA server, right? ;). 

The facts: Because I am testing, I have a very simple
setup currently. There are only two groups in AD
(group_proxy_a and group_proxy_b), one user in each of
those groups (proxy_a and proxy_b, respectively), and
two white lists (proxy_a_sites.txt and
proxy_b_sites.txt). I am authenticating into the
Windows domain and the groups using the
mswin_ntlm_auth and mswin_check_lm_group executables
which apparently works fine (if you look at the logs,
it pulls the users DOMAIN\login information correctly,
and if the site is on the whitelist, it comes through
fine). Where I am stumped is how sites like
addidas.com and nike.com are allowed (again, no
existence of them on either of the whitelists), but
other stuff (like newbalance.com) is denied. I would
guess that 80-85% of sites are stopped from the
testing I have done, letting in 15-20% of stuff it
shouldn't. 


  Here are some configs: 
    
  ########################## 
  # squid.conf             # 
  ########################## 
    

auth_param ntlm program
c:/squid/libexec/mswin_ntlm_auth.exe
auth_param ntlm children 5
auth_param ntlm keep_alive on

...

external_acl_type win_domain_group ttl=300 %LOGIN
c:/squid/libexec/mswin_check_lm_group.exe -G

...


acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255 
acl to_localhost dst 127.0.0.0/8 
acl SSL_ports port 443 
acl Safe_ports port 80 # http 
## acl Safe_ports port 21 # ftp 
acl Safe_ports port 443 # https 
## acl Safe_ports port 70 # gopher 
## acl Safe_ports port 210 # wais 
## acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
## acl Safe_ports port 591 # filemaker
## acl Safe_ports port 777 # multiling http acl
CONNECT method CONNECT 
    
acl localnet proxy_auth REQUIRED src
xxx.xxx.xxx.xxx/16
acl proxy_a_users external win_domain_group
group_proxy_a acl proxy_a_sites dstdom_regex [-i]
"c:/squid/lists/proxy_a_sites.txt" 
acl proxy_b_users external win_domain_group
group_proxy_b acl proxy_b_sites dstdom_regex [-i]
"c:/squid/lists/proxy_b_sites.txt" 
    
http_access allow proxy_a_users proxy_a_sites
http_access allow proxy_b_users proxy_b_sites
http_access deny all 
    
    
  ############################### 
  #     proxy_a_sites.txt       # 
  ############################### 
    
.yahoo.com
.lycos.com
.google.com
.altavista.com
.ask.com 
    
    
  ############################### 
  #     proxy_b_sites.txt       # 
  ############################### 
   
.toyota.com
.honda.com
.nissan.com
.gm.com
.chevy.com
.ford.com 


    
  ############################### 
  #   snippet from access.log   # 
  ############################### 

1172528486.507      0 10.1.5.47 TCP_DENIED/407 1767
GET http://www.chevy.com/ - NONE/- text/html
1172528486.522     15 10.1.5.47 TCP_DENIED/407 1989
GET http://www.chevy.com/ - NONE/- text/html
1172528490.162   3640 10.1.5.47 TCP_MISS/302 352 GET
http://www.chevy.com/ DOMAIN\proxy_b
DIRECT/170.224.60.166 text/html
1172528490.178     16 10.1.5.47 TCP_DENIED/403 1467
GET http://www.chevrolet.com/ DOMAIN\proxy_b NONE/-
text/html
1172528500.816      0 10.1.5.47 TCP_DENIED/407 1767
GET http://www.honda.com/ - NONE/- text/html
1172528500.816      0 10.1.5.47 TCP_DENIED/407 1989
GET http://www.honda.com/ - NONE/- text/html
1172528504.566      0 10.1.5.47 TCP_DENIED/407 1809
GET http://www.honda.com/js/rollover.js - NONE/-
text/html
1172528504.581      0 10.1.5.47 TCP_DENIED/407 2031
GET http://www.honda.com/js/rollover.js - NONE/-
text/html
1172528504.628      0 10.1.5.47 TCP_DENIED/407 1803
GET http://www.honda.com/css/main.css - NONE/-
text/html
1172528504.644      0 10.1.5.47 TCP_DENIED/407 1809
GET http://www.honda.com/css/popups.css - NONE/-
text/html
1172528504.706     78 10.1.5.47 TCP_DENIED/407 2025
GET http://www.honda.com/css/main.css - NONE/-
text/html
1172528504.706      0 10.1.5.47 TCP_DENIED/407 1767
CONNECT urs.microsoft.com:443 - NONE/- text/html
1172528504.706      0 10.1.5.47 TCP_DENIED/407 2031
GET http://www.honda.com/css/popups.css - NONE/-
text/html
1172528504.737     15 10.1.5.47 TCP_DENIED/407 1989
CONNECT urs.microsoft.com:443 - NONE/- text/html
1172528505.112   4296 10.1.5.47 TCP_MISS/200 22036 GET
http://www.honda.com/ DOMAIN\proxy_b
DIRECT/164.109.25.248 text/html
1172528505.253    672 10.1.5.47 TCP_MISS/200 2131 GET
http://www.honda.com/js/rollover.js DOMAIN\proxy_b
DIRECT/164.109.25.248 application/x-javascript
1172528505.394    672 10.1.5.47 TCP_MISS/200 2405 GET
http://www.honda.com/css/popups.css DOMAIN\proxy_b
DIRECT/164.109.25.248 text/css
1172528505.487    781 10.1.5.47 TCP_MISS/200 4252 GET
http://www.honda.com/css/main.css DOMAIN\proxy_b
DIRECT/164.109.25.248 text/css
1172528505.722    219 10.1.5.47 TCP_MISS/200 4376 GET
http://www.honda.com/js/PopUps.js DOMAIN\proxy_b
DIRECT/164.109.25.248 application/x-javascript
1172528505.987    265 10.1.5.47 TCP_MISS/200 843 GET
http://www.honda.com/js/SpringBoard.js DOMAIN\proxy_b
DIRECT/164.109.25.248 application/x-javascript
1172528505.987   1250 10.1.5.47 TCP_MISS/200 6159
CONNECT urs.microsoft.com:443 DOMAIN\proxy_b
DIRECT/65.55.195.253 -
1172528506.300    313 10.1.5.47 TCP_MISS/200 2651 GET
http://www.honda.com/images/logo.gif DOMAIN\proxy_b
DIRECT/164.109.25.248 image/gif
1172528506.331    250 10.1.5.47 TCP_MISS/200 2159 GET
http://www.honda.com/images/1.jpg DOMAIN\proxy_b
DIRECT/164.109.25.248 image/jpeg
1172528506.409    328 10.1.5.47 TCP_MISS/200 2160 GET
http://www.honda.com/images/2.jpg DOMAIN\proxy_b
DIRECT/164.109.25.248 image/jpeg
1172528506.409    328 10.1.5.47 TCP_MISS/200 2206 GET
http://www.honda.com/images/3.jpg DOMAIN\proxy_b
DIRECT/164.109.25.248 image/jpeg
1172528506.659    359 10.1.5.47 TCP_MISS/200 3382 GET
http://www.honda.com/slideshow.aspx DOMAIN\proxy_b
DIRECT/164.109.25.248 text/html
1172528506.737    406 10.1.5.47 TCP_MISS/200 2442 GET
http://www.honda.com/images/7.jpg DOMAIN\proxy_b
DIRECT/164.109.25.248 image/jpeg

....

1172529009.234    671 10.1.5.47 TCP_MISS/200 1473 GET
http://www.acura.com/main_body.aspx? DOMAIN\proxy_b
DIRECT/71.19.198.53 text/html
1172529009.250   1140 10.1.5.47 TCP_MISS/200 732 GET
http://www.acura.com/images/nt/ntpagetag.gif?
DOMAIN\proxy_b DIRECT/71.19.198.53 image/gif
1172529009.359    109 10.1.5.47 TCP_HIT/206 8105 GET
http://www.acura.com/sharedLibrary.swf DOMAIN\proxy_b
NONE/- application/x-shockwave-flash
1172529009.391    813 10.1.5.47 TCP_MISS/200 1333 GET
http://www.acura.com/control.aspx? DOMAIN\proxy_b
DIRECT/71.19.198.53 text/html
1172529010.234    843 10.1.5.47 TCP_MISS/200 36891 GET
http://www.acura.com/main.swf DOMAIN\proxy_b
DIRECT/71.19.198.53 application/x-shockwave-flash
1172529012.109   1875 10.1.5.47 TCP_MISS/200 35666 GET
http://www.acura.com/acuracodelibrary.swf
DOMAIN\proxy_b DIRECT/71.19.198.53
application/x-shockwave-flash
1172529014.108   2187 10.1.5.47 TCP_MISS/200 31279 GET
http://www.acura.com/genexcodelibrary.swf
DOMAIN\proxy_b DIRECT/71.19.198.53
application/x-shockwave-flash
1172529014.921    813 10.1.5.47 TCP_MISS/200 15895 GET
http://www.acura.com/director.aspx? DOMAIN\proxy_b
DIRECT/71.19.198.53 text/xml
1172529019.232   4311 10.1.5.47 TCP_MISS/200 128627
GET http://www.acura.com/nav.swf DOMAIN\proxy_b
DIRECT/71.19.198.53 application/x-shockwave-flash
1172529020.529      0 10.1.5.47 TCP_DENIED/407 2010
GET
http://ad.doubleclick.net/activity;src=1167695;type=regio401;cat=acura178;ord=1;num=3917520371031.129?
- NONE/- text/html
1172529020.529      0 10.1.5.47 TCP_DENIED/407 1833
GET http://leadback.advertising.com/adcedge/lb? -
NONE/- text/html
1172529020.545      0 10.1.5.47 TCP_DENIED/407 2055
GET http://leadback.advertising.com/adcedge/lb? -
NONE/- text/html
1172529020.685    812 10.1.5.47 TCP_MISS/200 623 GET
http://www.acura.com/tracking.html? DOMAIN\proxy_b
DIRECT/71.19.198.53 text/html
1172529020.795      0 10.1.5.47 TCP_DENIED/407 1791
GET http://www.acura.com/home.swf - NONE/- text/html
1172529020.810     15 10.1.5.47 TCP_DENIED/407 2013
GET http://www.acura.com/home.swf - NONE/- text/html
1172529021.310    765 10.1.5.47 TCP_MISS/200 613 GET
http://leadback.advertising.com/adcedge/lb?
DOMAIN\proxy_b DIRECT/204.0.99.194 image/gif
1172529021.654    844 10.1.5.47 TCP_MISS/200 35841 GET
http://www.acura.com/home.swf DOMAIN\proxy_b
DIRECT/71.19.198.53 application/x-shockwave-flash
1172529022.154    156 10.1.5.47 TCP_DENIED/403 1459
GET http://www.lycos.com/ DOMAIN\proxy_b NONE/-
text/html
1172529022.201    547 10.1.5.47 TCP_MISS/200 39536 GET
http://www.acura.com/content/Home/RDX.jpg
DOMAIN\proxy_b DIRECT/71.19.198.53 image/jpeg
1172529022.404      0 10.1.5.47 TCP_DENIED/407 1767
CONNECT urs.microsoft.com:443 - NONE/- text/html
1172529022.419     15 10.1.5.47 TCP_DENIED/407 1989
CONNECT urs.microsoft.com:443 - NONE/- text/html
1172529022.435      0 10.1.5.47 TCP_DENIED/407 1767
CONNECT urs.microsoft.com:443 - NONE/- text/html
1172529022.451     16 10.1.5.47 TCP_DENIED/407 1989
CONNECT urs.microsoft.com:443 - NONE/- text/html
1172529024.231   1812 10.1.5.47 TCP_MISS/200 6157
CONNECT urs.microsoft.com:443 DOMAIN\proxy_b
DIRECT/65.54.225.125 -
1172529024.356   1905 10.1.5.47 TCP_MISS/200 6157
CONNECT urs.microsoft.com:443 DOMAIN\proxy_b
DIRECT/65.54.225.125 -
1172529028.137      0 10.1.5.47 TCP_DENIED/403 1461
GET http://www.google.com/ DOMAIN\proxy_b NONE/-
text/html
1172529028.278      0 10.1.5.47 TCP_DENIED/407 1806
GET http://g.microsoft.com/_0sfdata/1? - NONE/-
text/html
1172529028.293      0 10.1.5.47 TCP_DENIED/407 2028
GET http://g.microsoft.com/_0sfdata/1? - NONE/-
text/html
1172529028.606    313 10.1.5.47 TCP_MISS/204 456 GET
http://g.microsoft.com/_0sfdata/1? DOMAIN\proxy_b
DIRECT/207.68.179.219 -
1172529044.134   4171 10.1.5.47 TCP_MISS/304 528 GET
http://www.nike.com/ DOMAIN\proxy_b
DIRECT/72.246.32.212 -
1172529044.603    469 10.1.5.47 TCP_MISS/200 3761 GET
http://www.nike.com/index.jhtml DOMAIN\proxy_b
DIRECT/72.246.32.212 text/html
1172529045.415      0 10.1.5.47 TCP_DENIED/407 1788
CONNECT secure-niketown.nike.com:443 - NONE/-
text/html
1172529045.431      0 10.1.5.47 TCP_DENIED/407 2010
CONNECT secure-niketown.nike.com:443 - NONE/-
text/html
1172529054.757   1703 10.1.5.47 TCP_MISS/302 1017 GET
http://www.adidas.com/ DOMAIN\proxy_b
DIRECT/63.209.213.55 text/html
1172529055.022    265 10.1.5.47 TCP_MISS/302 641 GET
http://www.adidas.com/us/ DOMAIN\proxy_b
DIRECT/63.209.213.55 text/html
1172529055.835    813 10.1.5.47 TCP_MISS/200 3475 GET
http://www.adidas.com/us/shared/brandselector.asp
DOMAIN\proxy_b DIRECT/63.209.213.55 text/html
1172529056.053      0 10.1.5.47 TCP_DENIED/407 1800
GET http://ehg-adidas.hitbox.com/HG? - NONE/-
text/html
1172529056.069     16 10.1.5.47 TCP_DENIED/407 2022
GET http://ehg-adidas.hitbox.com/HG? - NONE/-
text/html
1172529056.272    437 10.1.5.47 TCP_REFRESH_HIT/200
41281 GET
http://www.adidas.com/us/images/Brand_Selector/Q2_07_Wtennis.jpg
DOMAIN\proxy_b DIRECT/63.209.213.55 image/jpeg
1172529056.881    812 10.1.5.47 TCP_MISS/200 1361 GET
http://ehg-adidas.hitbox.com/HG? DOMAIN\proxy_b
DIRECT/64.154.81.197 image/gif
1172529103.966    718 10.1.5.47 TCP_DENIED/403 1469
GET http://www.newbalance.com/ DOMAIN\proxy_b NONE/-
text/html
1172529110.871  65440 10.1.5.47 TCP_MISS/200 8199
CONNECT secure-niketown.nike.com:443 DOMAIN\proxy_b
DIRECT/72.246.32.76 - 
    

As you can see, it seems to allow sites like
honda.com, acura.com, etc. (which it should), but why
is it allowing adidas.com and nike.com? If I need to
provide any more information, configs, etc., let me
know. 

Thanks for any help, I appreciate it. 


 
____________________________________________________________________________________
8:00? 8:25? 8:40? Find a flick in no time 
with the Yahoo! Search movie showtime shortcut.
http://tools.search.yahoo.com/shortcuts/#news
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux