On Tue, Sep 8, 2009 at 12:19 PM, Amos Jeffries<squid3@xxxxxxxxxxxxx> wrote: > Avinash Rao wrote: >> >> On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries<squid3@xxxxxxxxxxxxx> >> wrote: >>> >>> Avinash Rao wrote: >>>> >>>> ---------- Forwarded message ---------- >>>> From: Avinash Rao <avinash.aol@xxxxxxxxx> >>>> Date: Tue, Sep 8, 2009 at 11:13 AM >>>> Subject: Re: Fwd: Need help in integrating squid and samba >>>> To: Amos Jeffries <squid3@xxxxxxxxxxxxx> >>>> Cc: Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx>, >>>> squid-users@xxxxxxxxxxxxxxx >>>> >>>> >>>> >>>> >>>> On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> >>>> wrote: >>>>> >>>>> Avinash Rao wrote: >>>>>> >>>>>> On 8/31/09, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >>>>>>> >>>>>>> Avinash Rao wrote: >>>>>>> >>>>>>>> On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom >>>>>>> >>>>>>> <henrik@xxxxxxxxxxxxxxxxxxx >>>>>>> <mailto:henrik@xxxxxxxxxxxxxxxxxxx>> wrote: >>>>>>>> >>>>>>>> sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao: >>>>>>>> > I couldn't find any document that shows me how to enable wb_info >>>>>>>> for squid. >>>>>>>> > Can anybody help me? >>>>>>>> >>>>>>>> external_acl_type NT_Group %LOGIN >>>>>>>> /usr/local/squid/libexec/wbinfo_group.pl >>>>>>>> >>>>>>>> acl group1 external NT_Group group1 >>>>>>>> >>>>>>>> >>>>>>>> then use group1 whenever you want to match users belonging to that >>>>>>>> Windows group. >>>>>>>> >>>>>>>> Regards >>>>>>>> Henrik >>>>>>>> >>>>>>>> >>>>>>>> Hi Henrik, >>>>>>>> >>>>>>>> I have used the following in my squid.conf >>>>>>>> >>>>>>>> external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl >>>>>>> >>>>>>> group1 external NT_Group staff >>>>>>>> >>>>>>>> acl net time M T W T F S S 9:00-18:00 >>>>>>>> http_access allow net >>>>>>>> >>>>>>>> On my linux server, I have created a group called staff and made a >>>>>>>> couple >>>>>>> >>>>>>> of users a member of this group called staff. My intention is to >>>>>>> provide >>>>>>> access to users belonging to group staff on all days from morning 9am >>>>>>> - >>>>>>> 7PM. >>>>>>> The rest should be denied. >>>>>>>> >>>>>>>> But this didn't work, when the Samba users login from a winxp >>>>>>>> client, >>>>>>>> it >>>>>>> >>>>>>> doesn't get access to internet at all. >>>>>>> There is no http_access lien making any use of ACL "group1" >>>>>>> >>>>>>> And _everybody_ (me included on this side of the Internet) is allowed >>>>>>> to use >>>>>>> your proxy between 9am ad 6pm. >>>>>>> >>>>>>> >>>>>>> Amos >>>>>> >>>>>> Thanks for the reply, Ya i missed http_access allow group1 >>>>>> I didn't understand your second statement, are u telling me that i >>>>>> should deny access to net? >>>>> >>>>> You should combine the ACL with others on an http_access line so that >>>>> its >>>>> limited to who it allows. >>>>> >>>>> This: >>>>> acl net time M T W T F S S 9:00-18:00 >>>>> http_access allow net >>>>> >>>>> simply says "all requests are allowed between time X and Y". >>>>> Without additional controls, ie on IP address making the request, you >>>>> end up with an open proxy. >>>>> >>>>> Amos >>>> >>>> Dear Amos, >>>> >>>> I am still not able to get this working. Here's what i want to >>>> accomplish. I have WinXP - SP2 clients logging onto the samba domain >>>> and LTSP users. All users use squid proxy. My intention is to control >>>> the samba users from accessing the internet at certain times. >>>> >>>> If i don't use the external_acl_type NT_Group as mentioned below, the >>>> squid works properly for all users, even windows and anybody using >>>> squid proxy. >>>> >>>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/ >>>> wbinfo_group.pl >>>> acl group1 external NT_Group group1 >>>> I have created a group called staff using net rpc command and i am i >>>> have made all the users using winxp a member of this group staff. So, >>>> my acl will look like >>>> >>>> external_acl_type NT_Group %LOGIN >>>> /usr/local/squid/libexec/wbinfo_group.pl >>>> acl acl_name external NT_Group staff >>>> http_access allow staff >>>> >>>> According to my understanding, it should allow only those samba users >>>> which come under the group staff. But thats not happening, squid >>>> denies access to the internet. >>> >>> _when tested_ it should be doing that. Other rules around it have an >>> effect >>> that you may have overlooked. >>> >>> Then again the group name is case-sensitive. The helper is OS access >>> permission sensitive, and NTLM auth has difficulties all of its own. >>> >>> >>> I'll need to see the whole access config to know whats going on. And >>> remind >>> me what version of Squid this is. >>> >>> >>> Amos >> >> hi, >> >> >> root@sunbox:/etc/squid# dpkg -l | grep squid >> ii squid 2.6.18-1ubuntu3 >> Internet object cache (WWW proxy cache) >> ii squid-common 2.6.18-1ubuntu3 >> Internet object cache (WWW proxy cache) - co >> >> squid.conf >> >> visible_hostname sunbox >> hierarchy_stoplist cgi-bin ? >> acl QUERY urlpath_regex cgi-bin \? >> no_cache deny QUERY > > use: cache deny QUERY > >> hosts_file /etc/hosts >> http_port 10.10.10.200:3128 >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern . 0 20% 4320 >> >> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl >> acl staffgroup external NT_Group staff >> >> acl all src 0.0.0.0/0.0.0.0 >> acl manager proto cache_object >> acl localhost src 127.0.0.1/255.255.255.255 >> acl to_localhost dst 127.0.0.0/8 >> acl SSL_ports port 443 563 >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 563 # https, snews >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 631 # cups >> acl Safe_ports port 777 # multiling http >> acl Safe_ports port 901 # SWAT >> acl Safe_ports port 993 # IMAP >> acl Safe_ports port 587 # SMTP >> acl Safe_ports port 22 # SSH >> acl purge method PURGE >> acl special_urls url_regex "/etc/squid/squid-noblock.acl" >> acl extndeny url_regex -i "/etc/squid/blocks.files.acl" > > File extensions? > --> use urlpath_regex -i \.(mp3|exe|zip)(\?.*)?$ > > >> acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt" >> acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe > > So "prexel.com" is a bad URL? > > Be VERY careful with regex matching. Avoid where possible. > > The mp3/mp4/exe bits can be moved to the bad extension list. > > The youtube and orkut stuff should be a dstdomain ACL type with a wildcard > list of their domains: dstdomain .youtube.com .yimg.com > > (I'm not sure what the full range of orkut domains are). > >> acl lan src 192.168.1.0 10.10.10.0/24 >> acl stud ident_regex babu >> acl download method GET >> acl CONNECT method CONNECT >> cache_mem 100 MB >> #redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf >> ident_lookup_access allow all >> http_access allow staffgroup > > For testing I hope. Okay, so staffgroup should have unlimited proxy access > form anywhere in the world. If they happen to send their login information > to random machines (including Squid) without being asked to. > > I think you need to try: > > acl authUsers proxy_auth REQUIRED > http_access deny !authUsers > http_access allow staffgroup > > You also need a set of auth_param settings to actually retrieve the login > details. wbinfo does not work without them. > > > Also, check the default user your Squid runs under is properly a member of > the winbind group in the OS security settings. > wbinfo requires access to the winbind data which gets dynamically created, > so hacking around with chown does not work. > >> http_access allow manager localhost >> http_access deny manager >> http_access allow purge localhost >> http_access allow special_urls >> http_access deny extndeny download > > The above line merely doubles the server CPU load from the extndeny regex > test. > > The one below does the same thing for non-"download" stuff. > >> http_access deny extndeny >> http_access deny purge >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports > > Well, the two lines above really should be the first two http_access lines > in the config. They catch a huge amount of bad requests in a very efficient > way. > >> http_access deny badurl >> http_access deny malware_block_list >> deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list >> http_access allow localhost >> http_access allow lan >> http_access deny all >> http_reply_access allow all >> icp_access allow all >> coredump_dir /var/spool/squid >> >> >> Thanks >> Avinash > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 > Current Beta Squid 3.1.0.13 > Thanks again, i will go through this and let you know the results. Regards, Avinash
