Search squid archive

Re: Need help in integrating squid and samba

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Avinash Rao wrote:
On Tue, Sep 8, 2009 at 12:19 PM, Amos Jeffries<squid3@xxxxxxxxxxxxx> wrote:
Avinash Rao wrote:
On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries<squid3@xxxxxxxxxxxxx>
wrote:
Avinash Rao wrote:
---------- Forwarded message ----------
From: Avinash Rao <avinash.aol@xxxxxxxxx>
Date: Tue, Sep 8, 2009 at 11:13 AM
Subject: Re: Fwd:  Need help in integrating squid and samba
To: Amos Jeffries <squid3@xxxxxxxxxxxxx>
Cc: Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx>,
squid-users@xxxxxxxxxxxxxxx




On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx>
wrote:
Avinash Rao wrote:
On 8/31/09, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
Avinash Rao wrote:

On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom
<henrik@xxxxxxxxxxxxxxxxxxx
<mailto:henrik@xxxxxxxxxxxxxxxxxxx>> wrote:
 sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao:
 > I couldn't find any document that shows me how to enable wb_info
 for squid.
 > Can anybody help me?

 external_acl_type NT_Group %LOGIN
 /usr/local/squid/libexec/wbinfo_group.pl

 acl group1 external NT_Group group1


 then use group1 whenever you want to match users belonging to that
 Windows group.

 Regards
 Henrik


Hi Henrik,

I have used the following in my squid.conf

external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl
group1 external NT_Group staff
acl net time M T W T F S S 9:00-18:00
http_access allow net

On my linux server, I have created a group called staff and made a
couple
of users a member of this group called staff. My intention is to
provide
access to users belonging to group staff on all days from morning 9am
-
7PM.
The rest should be denied.
But this didn't work, when the Samba users login from a winxp
client,
it
doesn't get access to internet at all.
There is no http_access lien making any use of ACL "group1"

And _everybody_ (me included on this side of the Internet) is allowed
to use
your proxy between 9am ad 6pm.


Amos
Thanks for the reply, Ya i missed http_access allow group1
I didn't understand your second statement, are u telling me that i
should deny access to net?
You should combine the ACL with others on an http_access line so that
its
limited to who it allows.

This:
 acl net time M T W T F S S 9:00-18:00
 http_access allow net

simply says "all requests are allowed between time X and Y".
Without additional controls, ie on IP address making the request,  you
end up with an open proxy.

Amos
Dear Amos,

I am still not able to get this working.  Here's what i want to
accomplish. I have WinXP - SP2 clients logging onto the samba domain
and LTSP users. All users use squid proxy. My intention is to control
the samba users from accessing the internet at certain times.

If i don't use the external_acl_type NT_Group as mentioned below, the
squid works properly for all users, even windows and anybody using
squid proxy.

external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/
wbinfo_group.pl
acl group1 external NT_Group group1
I have created a group called staff using net rpc command and i am i
have made all the users using winxp a member of this group staff. So,
my acl will look like

external_acl_type NT_Group %LOGIN
/usr/local/squid/libexec/wbinfo_group.pl
acl acl_name external NT_Group staff
http_access allow staff

According to my understanding, it should allow only those samba users
which come under the group staff. But thats not happening, squid
denies access to the internet.
_when tested_ it should be doing that. Other rules around it have an
effect
that you may have overlooked.

Then again the group name is case-sensitive. The helper is OS access
permission sensitive, and NTLM auth has difficulties all of its own.


I'll need to see the whole access config to know whats going on. And
remind
me what version of Squid this is.


Amos
hi,


root@sunbox:/etc/squid# dpkg -l | grep squid
ii  squid                                 2.6.18-1ubuntu3
                       Internet object cache (WWW proxy cache)
ii  squid-common                          2.6.18-1ubuntu3
                       Internet object cache (WWW proxy cache) - co

squid.conf

visible_hostname sunbox
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
use:  cache deny QUERY

hosts_file /etc/hosts
http_port 10.10.10.200:3128
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
acl staffgroup external NT_Group staff

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80                # http
acl Safe_ports port 21                # ftp
acl Safe_ports port 443 563           # https, snews
acl Safe_ports port 70                # gopher
acl Safe_ports port 210               # wais
acl Safe_ports port 1025-65535        # unregistered ports
acl Safe_ports port 280               # http-mgmt
acl Safe_ports port 488               # gss-http
acl Safe_ports port 591               # filemaker
acl Safe_ports port 631               # cups
acl Safe_ports port 777               # multiling http
acl Safe_ports port 901               # SWAT
acl Safe_ports port 993               # IMAP
acl Safe_ports port 587               # SMTP
acl Safe_ports port 22                # SSH
acl purge method PURGE
acl special_urls url_regex "/etc/squid/squid-noblock.acl"
acl extndeny url_regex -i "/etc/squid/blocks.files.acl"
File extensions?
 --> use urlpath_regex -i \.(mp3|exe|zip)(\?.*)?$


acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt"
acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe
So "prexel.com" is a bad URL?

Be VERY careful with regex matching. Avoid where possible.

The mp3/mp4/exe bits can be moved to the bad extension list.

The youtube and orkut stuff should be a dstdomain ACL type with a wildcard
list of their domains:  dstdomain .youtube.com .yimg.com

(I'm not sure what the full range of orkut domains are).

acl lan src 192.168.1.0 10.10.10.0/24
acl stud ident_regex babu
acl download method GET
acl CONNECT method CONNECT
cache_mem 100 MB
#redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf
ident_lookup_access allow all
http_access allow staffgroup
For testing I hope. Okay, so staffgroup should have unlimited proxy access
form anywhere in the world. If they happen to send their login information
to random machines (including Squid) without being asked to.

I think you need to try:

 acl authUsers proxy_auth REQUIRED
 http_access deny !authUsers
 http_access allow staffgroup

You also need a set of auth_param settings to actually retrieve the login
details. wbinfo does not work without them.


Also, check the default user your Squid runs under is properly a member of
the winbind group in the OS security settings.
wbinfo requires access to the winbind data which gets dynamically created,
so hacking around with chown does not work.

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access allow special_urls
http_access deny extndeny download
The above line merely doubles the server CPU load from the extndeny regex
test.

The one below does the same thing for non-"download" stuff.

http_access deny extndeny
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
Well, the two lines above really should be the first two http_access lines
in the config. They catch a huge amount of bad requests in a very efficient
way.

http_access deny badurl
http_access deny malware_block_list
deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list
http_access allow localhost
http_access allow lan
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid


Thanks
Avinash
Amos
--
Please be using
 Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
 Current Beta Squid 3.1.0.13




Thanks again, i will go through this and let you know the results.

Regards,
Avinash

After all that I forgot to say now to link the staffgroup and net ACLs.

Not difficult though:
  acl net time 9:00-18:00
  http_access allow net staffgroup

(assuming you did want the access limited 7 days a week)
If only specific days were wanted note that the day codes are made into a single word SMTWHFA etc (no spaces)
 and also H = thursday and A = saturday.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
  Current Beta Squid 3.1.0.13

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux