Avinash Rao wrote:
On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries<squid3@xxxxxxxxxxxxx> wrote:
Avinash Rao wrote:
---------- Forwarded message ----------
From: Avinash Rao <avinash.aol@xxxxxxxxx>
Date: Tue, Sep 8, 2009 at 11:13 AM
Subject: Re: Fwd: Need help in integrating squid and samba
To: Amos Jeffries <squid3@xxxxxxxxxxxxx>
Cc: Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx>,
squid-users@xxxxxxxxxxxxxxx
On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx>
wrote:
Avinash Rao wrote:
On 8/31/09, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
Avinash Rao wrote:
On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom
<henrik@xxxxxxxxxxxxxxxxxxx
<mailto:henrik@xxxxxxxxxxxxxxxxxxx>> wrote:
sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao:
> I couldn't find any document that shows me how to enable wb_info
for squid.
> Can anybody help me?
external_acl_type NT_Group %LOGIN
/usr/local/squid/libexec/wbinfo_group.pl
acl group1 external NT_Group group1
then use group1 whenever you want to match users belonging to that
Windows group.
Regards
Henrik
Hi Henrik,
I have used the following in my squid.conf
external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl
group1 external NT_Group staff
acl net time M T W T F S S 9:00-18:00
http_access allow net
On my linux server, I have created a group called staff and made a
couple
of users a member of this group called staff. My intention is to
provide
access to users belonging to group staff on all days from morning 9am -
7PM.
The rest should be denied.
But this didn't work, when the Samba users login from a winxp client,
it
doesn't get access to internet at all.
There is no http_access lien making any use of ACL "group1"
And _everybody_ (me included on this side of the Internet) is allowed
to use
your proxy between 9am ad 6pm.
Amos
Thanks for the reply, Ya i missed http_access allow group1
I didn't understand your second statement, are u telling me that i
should deny access to net?
You should combine the ACL with others on an http_access line so that its
limited to who it allows.
This:
acl net time M T W T F S S 9:00-18:00
http_access allow net
simply says "all requests are allowed between time X and Y".
Without additional controls, ie on IP address making the request, you
end up with an open proxy.
Amos
Dear Amos,
I am still not able to get this working. Here's what i want to
accomplish. I have WinXP - SP2 clients logging onto the samba domain
and LTSP users. All users use squid proxy. My intention is to control
the samba users from accessing the internet at certain times.
If i don't use the external_acl_type NT_Group as mentioned below, the
squid works properly for all users, even windows and anybody using
squid proxy.
external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/
wbinfo_group.pl
acl group1 external NT_Group group1
I have created a group called staff using net rpc command and i am i
have made all the users using winxp a member of this group staff. So,
my acl will look like
external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
acl acl_name external NT_Group staff
http_access allow staff
According to my understanding, it should allow only those samba users
which come under the group staff. But thats not happening, squid
denies access to the internet.
_when tested_ it should be doing that. Other rules around it have an effect
that you may have overlooked.
Then again the group name is case-sensitive. The helper is OS access
permission sensitive, and NTLM auth has difficulties all of its own.
I'll need to see the whole access config to know whats going on. And remind
me what version of Squid this is.
Amos
hi,
root@sunbox:/etc/squid# dpkg -l | grep squid
ii squid 2.6.18-1ubuntu3
Internet object cache (WWW proxy cache)
ii squid-common 2.6.18-1ubuntu3
Internet object cache (WWW proxy cache) - co
squid.conf
visible_hostname sunbox
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
use: cache deny QUERY
hosts_file /etc/hosts
http_port 10.10.10.200:3128
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
acl staffgroup external NT_Group staff
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl Safe_ports port 993 # IMAP
acl Safe_ports port 587 # SMTP
acl Safe_ports port 22 # SSH
acl purge method PURGE
acl special_urls url_regex "/etc/squid/squid-noblock.acl"
acl extndeny url_regex -i "/etc/squid/blocks.files.acl"
File extensions?
--> use urlpath_regex -i \.(mp3|exe|zip)(\?.*)?$
acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt"
acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe
So "prexel.com" is a bad URL?
Be VERY careful with regex matching. Avoid where possible.
The mp3/mp4/exe bits can be moved to the bad extension list.
The youtube and orkut stuff should be a dstdomain ACL type with a
wildcard list of their domains: dstdomain .youtube.com .yimg.com
(I'm not sure what the full range of orkut domains are).
acl lan src 192.168.1.0 10.10.10.0/24
acl stud ident_regex babu
acl download method GET
acl CONNECT method CONNECT
cache_mem 100 MB
#redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf
ident_lookup_access allow all
http_access allow staffgroup
For testing I hope. Okay, so staffgroup should have unlimited proxy
access form anywhere in the world. If they happen to send their login
information to random machines (including Squid) without being asked to.
I think you need to try:
acl authUsers proxy_auth REQUIRED
http_access deny !authUsers
http_access allow staffgroup
You also need a set of auth_param settings to actually retrieve the
login details. wbinfo does not work without them.
Also, check the default user your Squid runs under is properly a member
of the winbind group in the OS security settings.
wbinfo requires access to the winbind data which gets dynamically
created, so hacking around with chown does not work.
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access allow special_urls
http_access deny extndeny download
The above line merely doubles the server CPU load from the extndeny
regex test.
The one below does the same thing for non-"download" stuff.
http_access deny extndeny
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
Well, the two lines above really should be the first two http_access
lines in the config. They catch a huge amount of bad requests in a very
efficient way.
http_access deny badurl
http_access deny malware_block_list
deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid
Thanks
Avinash
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
Current Beta Squid 3.1.0.13
