On Tue, Sep 8, 2009 at 2:49 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > > Avinash Rao wrote: >> >> On Tue, Sep 8, 2009 at 12:19 PM, Amos Jeffries<squid3@xxxxxxxxxxxxx> wrote: >>> >>> Avinash Rao wrote: >>>> >>>> On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries<squid3@xxxxxxxxxxxxx> >>>> wrote: >>>>> >>>>> Avinash Rao wrote: >>>>>> >>>>>> ---------- Forwarded message ---------- >>>>>> From: Avinash Rao <avinash.aol@xxxxxxxxx> >>>>>> Date: Tue, Sep 8, 2009 at 11:13 AM >>>>>> Subject: Re: Fwd: Need help in integrating squid and samba >>>>>> To: Amos Jeffries <squid3@xxxxxxxxxxxxx> >>>>>> Cc: Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx>, >>>>>> squid-users@xxxxxxxxxxxxxxx >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> >>>>>> wrote: >>>>>>> >>>>>>> Avinash Rao wrote: >>>>>>>> >>>>>>>> On 8/31/09, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >>>>>>>>> >>>>>>>>> Avinash Rao wrote: >>>>>>>>> >>>>>>>>>> On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom >>>>>>>>> >>>>>>>>> <henrik@xxxxxxxxxxxxxxxxxxx >>>>>>>>> <mailto:henrik@xxxxxxxxxxxxxxxxxxx>> wrote: >>>>>>>>>> >>>>>>>>>> sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao: >>>>>>>>>> > I couldn't find any document that shows me how to enable wb_info >>>>>>>>>> for squid. >>>>>>>>>> > Can anybody help me? >>>>>>>>>> >>>>>>>>>> external_acl_type NT_Group %LOGIN >>>>>>>>>> /usr/local/squid/libexec/wbinfo_group.pl >>>>>>>>>> >>>>>>>>>> acl group1 external NT_Group group1 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> then use group1 whenever you want to match users belonging to that >>>>>>>>>> Windows group. >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> Henrik >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi Henrik, >>>>>>>>>> >>>>>>>>>> I have used the following in my squid.conf >>>>>>>>>> >>>>>>>>>> external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl >>>>>>>>> >>>>>>>>> group1 external NT_Group staff >>>>>>>>>> >>>>>>>>>> acl net time M T W T F S S 9:00-18:00 >>>>>>>>>> http_access allow net >>>>>>>>>> >>>>>>>>>> On my linux server, I have created a group called staff and made a >>>>>>>>>> couple >>>>>>>>> >>>>>>>>> of users a member of this group called staff. My intention is to >>>>>>>>> provide >>>>>>>>> access to users belonging to group staff on all days from morning 9am >>>>>>>>> - >>>>>>>>> 7PM. >>>>>>>>> The rest should be denied. >>>>>>>>>> >>>>>>>>>> But this didn't work, when the Samba users login from a winxp >>>>>>>>>> client, >>>>>>>>>> it >>>>>>>>> >>>>>>>>> doesn't get access to internet at all. >>>>>>>>> There is no http_access lien making any use of ACL "group1" >>>>>>>>> >>>>>>>>> And _everybody_ (me included on this side of the Internet) is allowed >>>>>>>>> to use >>>>>>>>> your proxy between 9am ad 6pm. >>>>>>>>> >>>>>>>>> >>>>>>>>> Amos >>>>>>>> >>>>>>>> Thanks for the reply, Ya i missed http_access allow group1 >>>>>>>> I didn't understand your second statement, are u telling me that i >>>>>>>> should deny access to net? >>>>>>> >>>>>>> You should combine the ACL with others on an http_access line so that >>>>>>> its >>>>>>> limited to who it allows. >>>>>>> >>>>>>> This: >>>>>>> acl net time M T W T F S S 9:00-18:00 >>>>>>> http_access allow net >>>>>>> >>>>>>> simply says "all requests are allowed between time X and Y". >>>>>>> Without additional controls, ie on IP address making the request, you >>>>>>> end up with an open proxy. >>>>>>> >>>>>>> Amos >>>>>> >>>>>> Dear Amos, >>>>>> >>>>>> I am still not able to get this working. Here's what i want to >>>>>> accomplish. I have WinXP - SP2 clients logging onto the samba domain >>>>>> and LTSP users. All users use squid proxy. My intention is to control >>>>>> the samba users from accessing the internet at certain times. >>>>>> >>>>>> If i don't use the external_acl_type NT_Group as mentioned below, the >>>>>> squid works properly for all users, even windows and anybody using >>>>>> squid proxy. >>>>>> >>>>>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/ >>>>>> wbinfo_group.pl >>>>>> acl group1 external NT_Group group1 >>>>>> I have created a group called staff using net rpc command and i am i >>>>>> have made all the users using winxp a member of this group staff. So, >>>>>> my acl will look like >>>>>> >>>>>> external_acl_type NT_Group %LOGIN >>>>>> /usr/local/squid/libexec/wbinfo_group.pl >>>>>> acl acl_name external NT_Group staff >>>>>> http_access allow staff >>>>>> >>>>>> According to my understanding, it should allow only those samba users >>>>>> which come under the group staff. But thats not happening, squid >>>>>> denies access to the internet. >>>>> >>>>> _when tested_ it should be doing that. Other rules around it have an >>>>> effect >>>>> that you may have overlooked. >>>>> >>>>> Then again the group name is case-sensitive. The helper is OS access >>>>> permission sensitive, and NTLM auth has difficulties all of its own. >>>>> >>>>> >>>>> I'll need to see the whole access config to know whats going on. And >>>>> remind >>>>> me what version of Squid this is. >>>>> >>>>> >>>>> Amos >>>> >>>> hi, >>>> >>>> >>>> root@sunbox:/etc/squid# dpkg -l | grep squid >>>> ii squid 2.6.18-1ubuntu3 >>>> Internet object cache (WWW proxy cache) >>>> ii squid-common 2.6.18-1ubuntu3 >>>> Internet object cache (WWW proxy cache) - co >>>> >>>> squid.conf >>>> >>>> visible_hostname sunbox >>>> hierarchy_stoplist cgi-bin ? >>>> acl QUERY urlpath_regex cgi-bin \? >>>> no_cache deny QUERY >>> >>> use: cache deny QUERY >>> >>>> hosts_file /etc/hosts >>>> http_port 10.10.10.200:3128 >>>> refresh_pattern ^ftp: 1440 20% 10080 >>>> refresh_pattern ^gopher: 1440 0% 1440 >>>> refresh_pattern . 0 20% 4320 >>>> >>>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl >>>> acl staffgroup external NT_Group staff >>>> >>>> acl all src 0.0.0.0/0.0.0.0 >>>> acl manager proto cache_object >>>> acl localhost src 127.0.0.1/255.255.255.255 >>>> acl to_localhost dst 127.0.0.0/8 >>>> acl SSL_ports port 443 563 >>>> acl Safe_ports port 80 # http >>>> acl Safe_ports port 21 # ftp >>>> acl Safe_ports port 443 563 # https, snews >>>> acl Safe_ports port 70 # gopher >>>> acl Safe_ports port 210 # wais >>>> acl Safe_ports port 1025-65535 # unregistered ports >>>> acl Safe_ports port 280 # http-mgmt >>>> acl Safe_ports port 488 # gss-http >>>> acl Safe_ports port 591 # filemaker >>>> acl Safe_ports port 631 # cups >>>> acl Safe_ports port 777 # multiling http >>>> acl Safe_ports port 901 # SWAT >>>> acl Safe_ports port 993 # IMAP >>>> acl Safe_ports port 587 # SMTP >>>> acl Safe_ports port 22 # SSH >>>> acl purge method PURGE >>>> acl special_urls url_regex "/etc/squid/squid-noblock.acl" >>>> acl extndeny url_regex -i "/etc/squid/blocks.files.acl" >>> >>> File extensions? >>> --> use urlpath_regex -i \.(mp3|exe|zip)(\?.*)?$ >>> >>> >>>> acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt" >>>> acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe >>> >>> So "prexel.com" is a bad URL? >>> >>> Be VERY careful with regex matching. Avoid where possible. >>> >>> The mp3/mp4/exe bits can be moved to the bad extension list. >>> >>> The youtube and orkut stuff should be a dstdomain ACL type with a wildcard >>> list of their domains: dstdomain .youtube.com .yimg.com >>> >>> (I'm not sure what the full range of orkut domains are). >>> >>>> acl lan src 192.168.1.0 10.10.10.0/24 >>>> acl stud ident_regex babu >>>> acl download method GET >>>> acl CONNECT method CONNECT >>>> cache_mem 100 MB >>>> #redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf >>>> ident_lookup_access allow all >>>> http_access allow staffgroup >>> >>> For testing I hope. Okay, so staffgroup should have unlimited proxy access >>> form anywhere in the world. If they happen to send their login information >>> to random machines (including Squid) without being asked to. >>> >>> I think you need to try: >>> >>> acl authUsers proxy_auth REQUIRED >>> http_access deny !authUsers >>> http_access allow staffgroup >>> >>> You also need a set of auth_param settings to actually retrieve the login >>> details. wbinfo does not work without them. >>> >>> >>> Also, check the default user your Squid runs under is properly a member of >>> the winbind group in the OS security settings. >>> wbinfo requires access to the winbind data which gets dynamically created, >>> so hacking around with chown does not work. >>> >>>> http_access allow manager localhost >>>> http_access deny manager >>>> http_access allow purge localhost >>>> http_access allow special_urls >>>> http_access deny extndeny download >>> >>> The above line merely doubles the server CPU load from the extndeny regex >>> test. >>> >>> The one below does the same thing for non-"download" stuff. >>> >>>> http_access deny extndeny >>>> http_access deny purge >>>> http_access deny !Safe_ports >>>> http_access deny CONNECT !SSL_ports >>> >>> Well, the two lines above really should be the first two http_access lines >>> in the config. They catch a huge amount of bad requests in a very efficient >>> way. >>> >>>> http_access deny badurl >>>> http_access deny malware_block_list >>>> deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list >>>> http_access allow localhost >>>> http_access allow lan >>>> http_access deny all >>>> http_reply_access allow all >>>> icp_access allow all >>>> coredump_dir /var/spool/squid >>>> >>>> >>>> Thanks >>>> Avinash >>> >>> Amos >>> -- >>> Please be using >>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 >>> Current Beta Squid 3.1.0.13 >>> >> >> >> >> Thanks again, i will go through this and let you know the results. >> >> Regards, >> Avinash > > After all that I forgot to say now to link the staffgroup and net ACLs. > > Not difficult though: > acl net time 9:00-18:00 > http_access allow net staffgroup > > (assuming you did want the access limited 7 days a week) > If only specific days were wanted note that the day codes are made into a single word SMTWHFA etc (no spaces) > and also H = thursday and A = saturday. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 > Current Beta Squid 3.1.0.13 Amos, Below is my updated squid.conf. All the options are working except matching the NT or Unix groups. I made the following changes just to check if its working. auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl staffgroup external NT_Group staff acl student time 9:00-11:00 http_access deny !AuthUsers http_access allow staffgroup http_access allow student staffgroup Here's what is happening. All the other options are working except the above. I logged in to the samba domain from a WinXP client at 11:30 AM but the client was still able to access the internet. To check the authentication, i logged in locally, opened the browser, i received an authentication dialog box, i entered a domain userID and password, i could access the internet. So, its an indication that authentication is working. But, i guess the time specified is not working. I am wondering if its really checking the NT group? I also tried using the squid_unix_group option, but the result was the same. Is it something to do with NT group mapping? Below is my group list root@human:/usr/lib/squid# net rpc group list staff Administrators Users root@human:/usr/lib/squid# net groupmap list Administrators (S-1-5-32-544) -> BUILTIN\administrators staff (S-1-5-21-502514653-2556358561-3090783776-1004) -> staff Users (S-1-5-32-545) -> BUILTIN\users I also tried using the group "users" in the external_acl, but the result was the same. Before i did all this, i used the "users" group in the external_acl in squid.conf and checked the connection even before i made users a member of the "users" group, the behavior was the same so i think squid is not scanning the group. squid.conf visible_hostname human hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY hosts_file /etc/hosts http_port 10.10.10.10:3128 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl abc urlpath_regex -i\.(mp3|exe|mp4|mov|sex)(\?.*)?$ acl videos dstdomain .youtube.com .yimg.com .orkut.com .sex.com .teen.com .adult.com external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl staffgroup external NT_Group staff acl student time 9:00-11:00 auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 acl AuthUsers proxy_auth REQUIRED #acl sambausers src 10.10.10.0/24 #acl WORKING time 09:00-18:00 #acl AuthorizedUsers proxy_auth REQUIRED acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 631 # cups acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl Safe_ports port 993 # IMAP acl Safe_ports port 587 # SMTP acl Safe_ports port 22 # SSH acl purge method PURGE acl badurl url_regex -i teen acl lan src 192.168.1.0 10.10.10.0/24 #acl nettime time M T W H F S 18:00-20:00 acl stud ident_regex babu acl download method GET acl CONNECT method CONNECT cache_mem 100 MB acl extndeny url_regex -i "/etc/squid/blocks.files.acl" ident_lookup_access allow all http_access deny extndeny http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports #http_access allow friends WORKING #http_access deny friends http_access deny abc http_access deny videos http_access deny !AuthUsers http_access allow staffgroup http_access allow student staffgroup #http_access allow sambausers WORKING #http_access deny sambausers #http_access allow all AuthorizedUsers http_access allow manager localhost http_access deny manager http_access allow purge localhost #http_access allow special_urls #http_access deny extndeny download http_access deny badurl #http_access deny malware_block_list #deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list http_access allow localhost http_access allow lan http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/spool/squid
