Rich West wrote:
We have a rather disjointed network, primarily due to the way the
company works. As a result, not every one of our users is currently
logged in to the Windows domain.
However, we have squid acting as a proxy for everyone's web browsing
(wpad & etc), and our users don't know the difference. We would like to
increase the functionality of squid by preventing certain users from
accessing the web (via the proxy) while allowing everyone else to get
through. Again, not everyone is logged in to the domain.
My goal is to add NTLM authentication to make it transparent to the end
user and, essentially, avoid the windows pop-up. The less the users are
aware of the proxy, the better. :)
I added NTLM authentication (via winbind back to AD), and that works
great. I can see the user names populated in the output. However, I
cannot seem to get it to allow traffic through for those users that the
NTLM authentication fails on.
In other words, I have:
---squid.conf snippet---
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Web Proxy Server
auth_param basic credentialsttl 24 hours
...
acl all src 0.0.0.0/0.0.0.0
...
# This to never cache
no_cache deny QUERY
This is a rather old and obsolete hack to prevent bad dynamic pages
(only!) being stored. The proper way to do this is to actually use
refresh_patterns.
- killing the QUERY acl and the bits that use it.
- adding "refresh_pattern (/cgi-bin/|\?) 0 0% 0" as the final pattern
before the '.' pattern.
# We don't want to proxy FTP.
acl FTP proto FTP
always_direct allow FTP
Um, this read wrong. The fact FTP request got her means its already
being proxied. This config just makes squid proxy the request itself
instead of passing it to a peer closer to the ftp server.
To prevent FTP being proxied. Change the clients browser config to not
ask the proxy for FTP data.
##
# Allow WindowsUpdate to work.
##
acl update-micro-dom dstdomain .microsoft.com
acl update-micro-dom dstdomain .windowsupdate.com
#
Thanks to M$ and all their variant ways of doing it there is a longer
list now...
watson.microsoft.com
www.msftncsi.com
windowsupdate.microsoft.com
.update.microsoft.com
download.windowsupdate.com
www.download.windowsupdate.com
redir.metaservices.microsoft.com
images.metaservices.microsoft.com
c.microsoft.com
wustat.windows.com
crl.microsoft.com
http_access allow update-micro-dom
acl NoAccess proxy_auth baduser
#
acl AD_Users proxy_auth REQUIRED
http_access deny NoAccess
http_access allow AD_Users
http_access allow localhost
http_access allow all
# And finally deny all other access to this proxy (catch all)
... only it won't catch anything because the 'allow all" directly above
it is the real catch-all.
http_access deny all
---squid.conf snippet---
Once I put the above in place (specifically the proxy_auth lines), the
logs show hits for those users logged in to the domain (good), but then
shows a whole mess of denied messages for users not part of the domain
(bad). It is as if it is ignoring the allow "all" line, and I have the
feeling I am missing something simple. But of course, I cannot help but
ask if this is this even possible?
http_access are tested in sequence. The AD_Users ACL forces
authentication details to exist in the request or it blocks with an
'unauthorized' denial message (as you saw).
What you need to do is locate some way to identify the people who are
NOT able to authenticate and should be allowed out. Place the ACL
identifying them above the AD_Users test.
The big issue you need to look at is: WHY do you have and allow
non-authenticated strangers in your network? WHY are they allowed access
to your bandwidth?
The simplest way around this is to setup basic authentication as a
backup to NTLM (configured after NTLM auth config). And give those
people a special type of user/pass for internet access.
Amos
--
Please use Squid 2.7.STABLE3 or 3.0.STABLE7
