Search squid archive

Re: squid group authentication and dansguardian

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Kevin Kimani wrote:
Hi guys,

Am having a system running squid that authenticates users from the
Active Directory. Squid is version 2.6 STABLE6 running in CentOS 5.1.
It authenticates users according to the various groups that have been
defined in the Active Directory. If i run squid directly, it
authenticates users according to their groups but in the case of
implementing Dansguardian which is to act as a guard then the
authentication of groups fail miserably. but if i just authenticate
everyone from the AD, it works well only that it doesnt log the
usernames but the IP addresses of the users.
#MY CHANGES-------------------------------------------------------------------
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 20
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
##END HERE--------------------------------------------------------------------

external_acl_type wbinfo_group_helper %LOGIN /usr/lib/squid/wbinfo_group.pl

##MY CHANGES-----------------------
acl my_network src 10.1.0.0/20
acl ntlm_users proxy_auth REQUIRED
acl usergroup1 external wbinfo_group_helper internetusers
acl group1 external wbinfo_group_helper directorsinternet
seniormanagers itinternet auditandsystem
acl group2 external wbinfo_group_helper hrinternet financeinternet
citinternet guardinginternet securitysystems salesandmarketing
transportinternet
acl user1_ports port 21 25 80 110 443 10000
acl user2_ports port 21 25 80 110 443
acl user3 port 80 443

Squid's http_access rules work on a first-match basis, so...

http_access allow usergroup1

"usergroup1" can surf to anywhere on any port with no restrictions at all.

http_access allow my_network

Now anyone with a source address in 10.1.0.0/20 can do the same. Luckily, since all traffic is coming from Dans Guardian on localhost, this will never match.

http_access allow localhost
http_access allow ntlm_users
#http_access deny manager
http_access allow group1 user1_ports
http_access allow group2 user2_ports
# And finally deny all other access to this proxy
http_access allow SSL_ports

Sweet!  Open proxy (for traffic destined for port 443 at least.

http_access deny !Safe_ports
http_access deny all

I'd strongly recommend reviewing the FAQ section on ACLs (http://wiki.squid-cache.org/SquidFaq/SquidAcl).

##---------------------------------

for Dansguardian

filterip = 10.1.0.81

# the port that DansGuardian listens to.
filterport = 8080

# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 10.1.0.81

# the port DansGuardian connects to proxy on
proxyport = 3128

# Auth plugins
# These replace the usernameidmethod* options in previous versions. They
# handle the extraction of client usernames from various sources, such as
# Proxy-Authorisation headers and ident servers, enabling requests to be
# handled according to the settings of the user's filter group.
# Multiple plugins can be specified, and will be queried in order until one
# of them either finds a username or throws an error. For example, if Squid
# is configured with both NTLM and Basic auth enabled, and both the
'proxy-basic'
# and 'proxy-ntlm' auth plugins are enabled here, then clients which
do not support
# NTLM can fall back to Basic without sacrificing access rights.
#
# If you do not use multiple filter groups, you need not specify this option.
#
#authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-basic.conf'
#authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-digest.conf'
authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-ntlm.conf'
#authplugin = '/usr/local/etc/dansguardian/authplugins/ident.conf'
#authplugin = '/usr/local/etc/dansguardian/authplugins/ip.conf'

These are my acls'. They work in my small testing environment but when
i try to implement them in the clients environment, they just refuse
to work. Could someone please help.

I'd suggest (once you have your Squid ACLs working for a stand-alone Squid install), implementing DG as a parent proxy to Squid. Then again, I'm not familiar with DG, and have no idea of its capabilities with regards to authentication.

Chris


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux