Hi,
I am trying to produce a squid setup as depicted in
www.cdal.co.uk/Proxy2.png
2 squid instances, one running on port 3128 (frontend) and another on
port 3030 (backend).
3 instances of DansGuardian running on 8080, 8081 and 8082 which act as
cache peers to the frontend squid.
The frontend (no caching) squid uses NTLM authentication to
authenticate users. Then based upon their group (using wbinfo_group.pl)
determines which cache peer they are allowed to access.
My cache peers are defined as:
cache_peer students.local parent 8080 0 proxy-only no-query
no-netdb-exchange no-digest
cache_peer staff.local parent 8081 0 proxy-only no-query
no-netdb-exchange no-digest
cache_peer special.local parent 8082 0 proxy-only no-query
no-netdb-exchange no-digest
students.local, staff.local and special.local are all entries
in /etc/hosts resolving to itself
I have managed to get the Dan Guardians and the backend squid to work,
as these can be tested individually.
NTLM Authentication is working as user's names are resolved in the
access.log.
My problem seems to be located in the external_acl_type as when this is
commented out along with other dependent acls the squid process starts
up, otherwise the following error is generated:
FATAL: Bungled squid.3128.conf line 1863: acl special external
ntlm_group it
Squid Cache (Version 2.6.STABLE5): Terminated abnormally.
the problem doesn't seem to be with this line in the config as when
commented out the next line (also acl special) errors producing a
similar error.
My acls are defined as:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl special external ntlm_group it
acl staff external ntlm_group Staff
acl students external ntlm_group Students
acl ntlm_users proxy_auth REQUIRED
With an external acl of:
external_acl_type ntlm_group concurrency=0 children=5 ttl=0 %
LOGIN /usr/lib/squid/wbinfo_group.pl
My cache_peer_access rules are defined as:
never_direct allow all
#cache_peer_access students.local allow all
cache_peer_access special.local allow special
cache_peer_access special.local deny all
cache_peer_access students.local allow students
cache_peer_access students.local deny all
cache_peer_access staff.local allow staff
cache_peer_access staff.local deny all
The commented out line is in place to check that the connection between
squid and its peers works.
My http_access is defined as:
http_access allow ntlm_users
When I run the wbinfo_group.pl script manually from the command line the
script returns OK as expected and also gets the correct SID/GID when in
debug mode.
The system will be locked down using IP tables to prevent users from
switching to the backend squid and thus skipping the authentication
procedure however during testing and to avoid complexity IP tables is
off.
I am using Squid 2.6STABLE5, which is the packaged version from the
Ubuntu repositories, with the following output for -version
Squid Cache: Version 2.6.STABLE5
configure options: '--prefix=/usr' '--exec_prefix=/usr'
'--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib/squid'
'--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid'
'--datadir=/usr/share/squid' '--enable-async-io' '--with-pthreads'
'--enable-storeio=ufs,aufs,coss,diskd,null' '--enable-linux-netfilter'
'--enable-arp-acl' '--enable-epoll' '--enable-removal-policies=lru,heap'
'--enable-snmp' '--enable-delay-pools' '--enable-htcp'
'--enable-cache-digests' '--enable-underscores' '--enable-referer-log'
'--enable-useragent-log' '--enable-auth=basic,digest,ntlm'
'--enable-carp' '--with-large-files' 'i386-debian-linux'
'build_alias=i386-debian-linux' 'host_alias=i386-debian-linux'
'target_alias=i386-debian-linux'
I am running Ubuntu Feisty Fawn 7.04. I have tried to work through this
problem by looking at the FAQs and googling but to no avail.
Any help would be much appreciated.
Cheers,
--
Sebastian Harrington
Infrastructure Officer
Longhill High School
e: seb {at} longhill _dot_ brighton-hove _dot_ sch _dot_ uk
