Harley Jackson Willmott wrote:
2009/7/29 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
Harley Jackson Willmott wrote:
2009/7/28 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
Harley Jackson Willmott wrote:
2009/7/27 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On Mon, 27 Jul 2009 13:50:24 +1000, Harley Jackson Willmott
<open.harley@xxxxxxxxx> wrote:
Hey all.
I've done lots of searching and haven't been able to find examples of
this particular scenario so I'm putting it to you guys for help.
Basically, my boss has me setting up a Squid server for our company's
primarily Microsoft-based network (We use Active Directory). We've
already got a proxy server set up running Webmarshal. Webmarshal takes
care of all the filtering stuff based on Active Directory membership.
I'm implementing a Squid server to both cache (obviously) and to
throttle certain users using delay pools.
The original plan was to have Squid in front of Webmarshal, which
means Squid needs to be able to pass the AD credentials to Webmarshal.
The server itself is running Ubuntu 9.04 Server with
Squid-3.0.STABLE16 compiled with buckets enabled and is joined to our
AD domain through Likewise-Open. I'd like to create ACLs based on
user/group membership in AD, but IPs are fine if that isn't possible.
The main thing is that I -need- the credentials passed to Webmarshal
so that the user isn't prompted to enter their username and password
into their browser (this is how it acts prior to pointing it to
Squid).
Is this possible with my version of Squid? I've been trying to follow
examples and documentation on the web, but frequently run into
conflicting and/or outdated information. If so, can someone help me
out with an example or something? If not, should I just be putting
Squid behind Webmarshal?
Behind would be the quickest fix.
Or you could go the whole way and configure Squid AD authentication
with
groups access control to completely replace WebMarshall. Squid bundles
a
few external ACL helpers that check group access. The rest is up to how
you
set what access controls.
Amos
Thanks, Amos, I mulled it over a bit and talked to the boss and we've
put Squid in front of Webmarshal
I got Squid up and running but was getting a massive headache trying
to make it pass credentials to Webmarshal. The problem was revealed to
me by another thread on this mailing list that mentioned this would
only work in 2.7 and 3.1, whereas I've been using 3.0. I compiled 2.7
and it passes credentials to Webmarshal fine now! Delay pools are
working great too (it's funny being happy about seeing the internet
moving slowly)
However, I'm faced with another problem. I still need to set up ACLs
in Squid that are based on Active Directory groups. The box is in our
domain with Samba and Winbind and wbinfo, wbinfo_group.pl and
ntlm_auth all work flawlessly.
Unfortunately, after I add the lines for ntlm authentication, my
browser (even IE) prompts me for username and password a few times and
then sends me to a Cache Access Denied page. My access.log also does
not show any usernames/groups.
I've played around with the lines a bit but here is how they stand at
the moment:
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm mushmusic
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl authedusers proxy_auth REQUIRED
http_access allow authedusers
Any advice?
Cheers :)
You also need persistent connections enabled, and connection-auth= flags
on
any cache_peer lines.
http://www.squid-cache.org/Versions/v2/2.7/cfgman/
See these settings:
* client_persistent_connections
* server_persistent_connections
* persistent_connection_after_error
* detect_broken_pconn
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17
Current Beta Squid 3.1.0.12
Thanks again! I managed to get ntlm_auth working, with ACLs based on
the user's AD groups to decide different bucket sizes and speeds
without the browser prompting.
I had disabled the passing of credentials to Webmarshal beforehand to
isolate what I was working on and now that I've gotten ntlm_auth
working, I re-enabled it. Unfortunately, I am prompted for credentials
again. This time, however, entering the credentials seem to work (as
opposed to just prompting me over and over again before).
If I'm _only_ passing credentials or _only_ authenticating for Squid,
then everything works swimmingly. However, having both at once causes
it to prompt the user at the browser. Can I only have one or the other
or is there a solution that allows Squid to authenticate as well as
pass creds to Webmarshal?
Cheers
Harley
At a guess I'd say the Webmarshal is not finding the NTLM token passed back
enough and kicking off its own challenge sequence.
Maybe the all-hack will work here....
Setting "all" ACL as the last on each authentication line causes Squid to
not send the auth chellenge. This breaks any deny lines, but if the auth is
only on "allow" stuff it can work.
NP: You will also have to create a category for non-authenticated requests.
Which are prior to the Webmarshal challenge but MUST still go through to get
the auth challenge happening.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17
Current Beta Squid 3.1.0.12
I have to admit I'm a little confused. Still very new to Squid and I'm
not entirely sure what you mean :P Particularly the category part and
what goes where.
Sorry, I thought you were making different levels of delay pools for
different groups. What I said is irrelevant under the config you showed
This is how my current config stands, if that helps:
---
access_log /opt/squid/var/logs/access.log squid
http_port 3128
client_persistent_connections on
server_persistent_connections on
persistent_connection_after_error on
detect_broken_pconn on
icp_port 3130
visible_hostname tmg04
acl CONNECT method CONNECT
acl all src 0/0
Use: acl all src all
I'm not sure right now what Squid-2 does with "0/0", but in early
Squid-3 the result was not sane.
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp all
auth_param ntlm children 30 all
auth_param ntlm keep_alive on all
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic all
auth_param basic children 5 all
auth_param basic realm mushmusic all
auth_param basic credentialsttl 2 hours all
auth_param basic casesensitive off all
Um no. Sorry I was a bit tired earlier and wasn't clear. Should have
added "http_access" to me statement somehow.
Remove the 'all's from the above. :)
external_acl_type ad_group %LOGIN /opt/squid/libexec/wbinfo_group.pl
acl girly external ad_group girl
http_access allow girly
I mean making the above:
http_access allow girly all
http_access allow all
That will let the whole Internet use the proxy if they can find a route
there. Best to define what ranges are acceptable and:
http_access allow localnet
http_access deny all
cache_effective_user squid
delay_pools 1
delay_class 1 2
delay_parameters 1 8000/128000 8000/128000
By itself these pool everybody based on IP.
cache_peer 192.168.5.11 parent 8085 0 no-query default login=PASS
never_direct allow all
---
There's obvious stuff not in to do with caching, etc, but I'm worrying
about that later as it's trivial (IMO) compared to getting it working
with Microsoft's crazy old systems.
Harley
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17
Current Beta Squid 3.1.0.12
