On Tue, Sep 8, 2009 at 2:49 PM, Amos Jeffries<squid3@xxxxxxxxxxxxx> wrote: > Avinash Rao wrote: >> >> On Tue, Sep 8, 2009 at 12:19 PM, Amos Jeffries<squid3@xxxxxxxxxxxxx> >> wrote: >>> >>> Avinash Rao wrote: >>>> >>>> On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries<squid3@xxxxxxxxxxxxx> >>>> wrote: >>>>> >>>>> Avinash Rao wrote: >>>>>> >>>>>> ---------- Forwarded message ---------- >>>>>> From: Avinash Rao <avinash.aol@xxxxxxxxx> >>>>>> Date: Tue, Sep 8, 2009 at 11:13 AM >>>>>> Subject: Re: Fwd: Need help in integrating squid and >>>>>> samba >>>>>> To: Amos Jeffries <squid3@xxxxxxxxxxxxx> >>>>>> Cc: Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx>, >>>>>> squid-users@xxxxxxxxxxxxxxx >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> >>>>>> wrote: >>>>>>> >>>>>>> Avinash Rao wrote: >>>>>>>> >>>>>>>> On 8/31/09, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >>>>>>>>> >>>>>>>>> Avinash Rao wrote: >>>>>>>>> >>>>>>>>>> On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom >>>>>>>>> >>>>>>>>> <henrik@xxxxxxxxxxxxxxxxxxx >>>>>>>>> <mailto:henrik@xxxxxxxxxxxxxxxxxxx>> wrote: >>>>>>>>>> >>>>>>>>>> sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao: >>>>>>>>>> > I couldn't find any document that shows me how to enable >>>>>>>>>> wb_info >>>>>>>>>> for squid. >>>>>>>>>> > Can anybody help me? >>>>>>>>>> >>>>>>>>>> external_acl_type NT_Group %LOGIN >>>>>>>>>> /usr/local/squid/libexec/wbinfo_group.pl >>>>>>>>>> >>>>>>>>>> acl group1 external NT_Group group1 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> then use group1 whenever you want to match users belonging to >>>>>>>>>> that >>>>>>>>>> Windows group. >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> Henrik >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi Henrik, >>>>>>>>>> >>>>>>>>>> I have used the following in my squid.conf >>>>>>>>>> >>>>>>>>>> external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl >>>>>>>>>> acl >>>>>>>>> >>>>>>>>> group1 external NT_Group staff >>>>>>>>>> >>>>>>>>>> acl net time M T W T F S S 9:00-18:00 >>>>>>>>>> http_access allow net >>>>>>>>>> >>>>>>>>>> On my linux server, I have created a group called staff and made a >>>>>>>>>> couple >>>>>>>>> >>>>>>>>> of users a member of this group called staff. My intention is to >>>>>>>>> provide >>>>>>>>> access to users belonging to group staff on all days from morning >>>>>>>>> 9am >>>>>>>>> - >>>>>>>>> 7PM. >>>>>>>>> The rest should be denied. >>>>>>>>>> >>>>>>>>>> But this didn't work, when the Samba users login from a winxp >>>>>>>>>> client, >>>>>>>>>> it >>>>>>>>> >>>>>>>>> doesn't get access to internet at all. >>>>>>>>> There is no http_access lien making any use of ACL "group1" >>>>>>>>> >>>>>>>>> And _everybody_ (me included on this side of the Internet) is >>>>>>>>> allowed >>>>>>>>> to use >>>>>>>>> your proxy between 9am ad 6pm. >>>>>>>>> >>>>>>>>> >>>>>>>>> Amos >>>>>>>> >>>>>>>> Thanks for the reply, Ya i missed http_access allow group1 >>>>>>>> I didn't understand your second statement, are u telling me that i >>>>>>>> should deny access to net? >>>>>>> >>>>>>> You should combine the ACL with others on an http_access line so that >>>>>>> its >>>>>>> limited to who it allows. >>>>>>> >>>>>>> This: >>>>>>> acl net time M T W T F S S 9:00-18:00 >>>>>>> http_access allow net >>>>>>> >>>>>>> simply says "all requests are allowed between time X and Y". >>>>>>> Without additional controls, ie on IP address making the request, >>>>>>> you >>>>>>> end up with an open proxy. >>>>>>> >>>>>>> Amos >>>>>> >>>>>> Dear Amos, >>>>>> >>>>>> I am still not able to get this working. Here's what i want to >>>>>> accomplish. I have WinXP - SP2 clients logging onto the samba domain >>>>>> and LTSP users. All users use squid proxy. My intention is to control >>>>>> the samba users from accessing the internet at certain times. >>>>>> >>>>>> If i don't use the external_acl_type NT_Group as mentioned below, the >>>>>> squid works properly for all users, even windows and anybody using >>>>>> squid proxy. >>>>>> >>>>>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/ >>>>>> wbinfo_group.pl >>>>>> acl group1 external NT_Group group1 >>>>>> I have created a group called staff using net rpc command and i am i >>>>>> have made all the users using winxp a member of this group staff. So, >>>>>> my acl will look like >>>>>> >>>>>> external_acl_type NT_Group %LOGIN >>>>>> /usr/local/squid/libexec/wbinfo_group.pl >>>>>> acl acl_name external NT_Group staff >>>>>> http_access allow staff >>>>>> >>>>>> According to my understanding, it should allow only those samba users >>>>>> which come under the group staff. But thats not happening, squid >>>>>> denies access to the internet. >>>>> >>>>> _when tested_ it should be doing that. Other rules around it have an >>>>> effect >>>>> that you may have overlooked. >>>>> >>>>> Then again the group name is case-sensitive. The helper is OS access >>>>> permission sensitive, and NTLM auth has difficulties all of its own. >>>>> >>>>> >>>>> I'll need to see the whole access config to know whats going on. And >>>>> remind >>>>> me what version of Squid this is. >>>>> >>>>> >>>>> Amos >>>> >>>> hi, >>>> >>>> >>>> root@sunbox:/etc/squid# dpkg -l | grep squid >>>> ii squid 2.6.18-1ubuntu3 >>>> Internet object cache (WWW proxy cache) >>>> ii squid-common 2.6.18-1ubuntu3 >>>> Internet object cache (WWW proxy cache) - co >>>> >>>> squid.conf >>>> >>>> visible_hostname sunbox >>>> hierarchy_stoplist cgi-bin ? >>>> acl QUERY urlpath_regex cgi-bin \? >>>> no_cache deny QUERY >>> >>> use: cache deny QUERY >>> >>>> hosts_file /etc/hosts >>>> http_port 10.10.10.200:3128 >>>> refresh_pattern ^ftp: 1440 20% 10080 >>>> refresh_pattern ^gopher: 1440 0% 1440 >>>> refresh_pattern . 0 20% 4320 >>>> >>>> external_acl_type NT_Group %LOGIN >>>> /usr/local/squid/libexec/wbinfo_group.pl >>>> acl staffgroup external NT_Group staff >>>> >>>> acl all src 0.0.0.0/0.0.0.0 >>>> acl manager proto cache_object >>>> acl localhost src 127.0.0.1/255.255.255.255 >>>> acl to_localhost dst 127.0.0.0/8 >>>> acl SSL_ports port 443 563 >>>> acl Safe_ports port 80 # http >>>> acl Safe_ports port 21 # ftp >>>> acl Safe_ports port 443 563 # https, snews >>>> acl Safe_ports port 70 # gopher >>>> acl Safe_ports port 210 # wais >>>> acl Safe_ports port 1025-65535 # unregistered ports >>>> acl Safe_ports port 280 # http-mgmt >>>> acl Safe_ports port 488 # gss-http >>>> acl Safe_ports port 591 # filemaker >>>> acl Safe_ports port 631 # cups >>>> acl Safe_ports port 777 # multiling http >>>> acl Safe_ports port 901 # SWAT >>>> acl Safe_ports port 993 # IMAP >>>> acl Safe_ports port 587 # SMTP >>>> acl Safe_ports port 22 # SSH >>>> acl purge method PURGE >>>> acl special_urls url_regex "/etc/squid/squid-noblock.acl" >>>> acl extndeny url_regex -i "/etc/squid/blocks.files.acl" >>> >>> File extensions? >>> --> use urlpath_regex -i \.(mp3|exe|zip)(\?.*)?$ >>> >>> >>>> acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt" >>>> acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe >>> >>> So "prexel.com" is a bad URL? >>> >>> Be VERY careful with regex matching. Avoid where possible. >>> >>> The mp3/mp4/exe bits can be moved to the bad extension list. >>> >>> The youtube and orkut stuff should be a dstdomain ACL type with a >>> wildcard >>> list of their domains: dstdomain .youtube.com .yimg.com >>> >>> (I'm not sure what the full range of orkut domains are). >>> >>>> acl lan src 192.168.1.0 10.10.10.0/24 >>>> acl stud ident_regex babu >>>> acl download method GET >>>> acl CONNECT method CONNECT >>>> cache_mem 100 MB >>>> #redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf >>>> ident_lookup_access allow all >>>> http_access allow staffgroup >>> >>> For testing I hope. Okay, so staffgroup should have unlimited proxy >>> access >>> form anywhere in the world. If they happen to send their login >>> information >>> to random machines (including Squid) without being asked to. >>> >>> I think you need to try: >>> >>> acl authUsers proxy_auth REQUIRED >>> http_access deny !authUsers >>> http_access allow staffgroup >>> >>> You also need a set of auth_param settings to actually retrieve the login >>> details. wbinfo does not work without them. >>> >>> >>> Also, check the default user your Squid runs under is properly a member >>> of >>> the winbind group in the OS security settings. >>> wbinfo requires access to the winbind data which gets dynamically >>> created, >>> so hacking around with chown does not work. >>> >>>> http_access allow manager localhost >>>> http_access deny manager >>>> http_access allow purge localhost >>>> http_access allow special_urls >>>> http_access deny extndeny download >>> >>> The above line merely doubles the server CPU load from the extndeny regex >>> test. >>> >>> The one below does the same thing for non-"download" stuff. >>> >>>> http_access deny extndeny >>>> http_access deny purge >>>> http_access deny !Safe_ports >>>> http_access deny CONNECT !SSL_ports >>> >>> Well, the two lines above really should be the first two http_access >>> lines >>> in the config. They catch a huge amount of bad requests in a very >>> efficient >>> way. >>> >>>> http_access deny badurl >>>> http_access deny malware_block_list >>>> deny_info http://malware.hiperlinks.com.br/denied.shtml >>>> malware_block_list >>>> http_access allow localhost >>>> http_access allow lan >>>> http_access deny all >>>> http_reply_access allow all >>>> icp_access allow all >>>> coredump_dir /var/spool/squid >>>> >>>> >>>> Thanks >>>> Avinash >>> >>> Amos >>> -- >>> Please be using >>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 >>> Current Beta Squid 3.1.0.13 >>> >> >> >> >> Thanks again, i will go through this and let you know the results. >> >> Regards, >> Avinash > > After all that I forgot to say now to link the staffgroup and net ACLs. > > Not difficult though: > acl net time 9:00-18:00 > http_access allow net staffgroup > > (assuming you did want the access limited 7 days a week) > If only specific days were wanted note that the day codes are made into a > single word SMTWHFA etc (no spaces) > and also H = thursday and A = saturday. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 > Current Beta Squid 3.1.0.13 > Thank you so much, I was going to ask the same thing. I just finished testing the first part. I am doing one by one. Cheers mate Avinash