Search squid archive

Re: External users from Child AD domain unable to use local Squid proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 19 Apr 2010 15:33:09 -0400, Milan <compguy030471@xxxxxxxxx> wrote:
> Below is our Squid.conf. We still cannot get external ad users to work
> on our proxy.
> 
> cache_peer proxy2.us.xxxxxxxxxx.com parent 3128 0000 default no-query
> no-digest
> 
> auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
> auth_param ntlm children 40
> auth_param ntlm keep_alive on
> 
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> 
> external_acl_type AD_global_group ttl=120 %LOGIN
> c:/squid/libexec/mswin_check_ad_group.exe -G
> 
> ftp_user squid@xxxxxxxxxxxx
> 
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> 
> acl WindowsUpdate dstdomain -i "c:/squid/etc/windowsupdate.txt"
> 
> acl bypass_auth src "C:\squid\etc\ByPass_Auth_SRC_IP.txt"
> acl bypass_auth-external dstdomain
> "C:\squid\etc\ByPass_Auth_DST_DOMAIN.txt"
> 
> acl DIRECT src "C:\squid\etc\Direct_SRC_IP.txt"
> acl DIRECT-external dstdomain "C:\squid\etc\Direct_DST_DOMAIN.txt"
> 
> acl Java browser Java/[0-9]
> 
> acl Approved_IP dstdomain "C:\squid\etc\Approved_IP.txt"
> 
> # Domains accessible to all PC's
> acl Approved_Domains dstdomain "C:\squid\etc\Approved.txt"
> 
> acl SSL_ports port 443
> acl Safe_ports port 80		# http
> acl Safe_ports port 21		# ftp
> acl Safe_ports port 443		# https
> acl Safe_ports port 70		# gopher
> acl Safe_ports port 210		# wais
> acl Safe_ports port 1025-65535	# unregistered ports
> acl Safe_ports port 280		# http-mgmt
> acl Safe_ports port 488		# gss-http
> acl Safe_ports port 591		# filemaker
> acl Safe_ports port 777		# multiling http
> 
> acl CONNECT method CONNECT
> acl ftp proto FTP
> 
> acl authproxy proxy_auth REQUIRED
> acl our_networks src 172.xx.xx.xx/12
> acl HEAD method HEAD
> 
> acl InetAllow external AD_global_group CLW.Squid.Full
> 
> http_access allow manager localhost
> http_access allow HEAD
> http_access allow ftp
> http_access allow WindowsUpdate
> http_access allow bypass_auth
> http_access allow bypass_auth-external
> http_access allow Approved_Domains
> http_access allow Java
> http_access allow Approved_IP
> http_access allow InetAllow
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny !our_networks

Eeek!. Order is important!

 Before you do anything else. Put those deny lines back FIRST in your
order of http_access.

Next, the rules for Internet machines to connect to your LAN need to go
above the !our_networks rule (and remain below the CONNECT one).

That may not solve your auth problems, but it will stop your machine being
an open relay proxy.

Amos

> 
> On Sun, Apr 18, 2010 at 06:26, Guido Serassio
> <guido.serassio@xxxxxxxxxxxxxxxxx> wrote:
>> Hi,
>>
>> When using mswin_check_ad_group.exe 1.x in global mode (-G options),
the
>> check is done always against a global group placed in the user's
domain.
>>
>> Starting from 2.7 STABLE 8, mswin_check_ad_group.exe 2.x is now a full
>> AD group helper supporting full forest wide group recursion.
>> Take a look to the included docs for details.
>>
>> Regards
>>
>> Guido Serassio
>> Acme Consulting S.r.l.
>> Microsoft Gold Certified Partner
>> Via Lucia Savarino, 1                10098 - Rivoli (TO) - ITALY
>> Tel. : +39.011.9530135               Fax. : +39.011.9781115
>> Email: guido.serassio@xxxxxxxxxxxxxxxxx
>> WWW: http://www.acmeconsulting.it
>>
>>
>>> -----Messaggio originale-----
>>> Da: Milan [mailto:compguy030471@xxxxxxxxx]
>>> Inviato: giovedì 15 aprile 2010 17.17
>>> A: squid-users@xxxxxxxxxxxxxxx
>>> Oggetto:  External users from Child AD domain unable to
use
>>> local Squid proxy
>>>
>>> We are using Squid on windpow as a proxy and we are having an issue
>>> when users that come from a child domain to our office do not
>>> authenticate properly.
>>>
>>> Example: our domain is na.myworld.com and users from eu.myworld.com
>>> come to our office and do not authenticate correctly
>>> The log of the connection is below.
>>>
>>> 1271280071.727     47 172.23.5.54 TCP_DENIED/407 1766 GET
>>> http://www.yahoo.com/ - NONE/- text/html
>>> 1271280071.774     31 172.23.5.54 TCP_DENIED/407 2082 GET
>>> http://www.yahoo.com/ - NONE/- text/html
>>> 1271280099.086  27312 172.23.5.54 TCP_DENIED/403 1449 GET
>>> http://www.yahoo.com/ eu\vbonafe NONE/- text/html
>>> 1271280104.258     47 172.23.5.54 TCP_DENIED/407 1763 GET
>>> http://www.yahoo.es/ - NONE/- text/html
>>> 1271280104.289     31 172.23.5.54 TCP_DENIED/407 2079 GET
>>> http://www.yahoo.es/ - NONE/- text/html
>>> 1271280104.524    235 172.23.5.54 TCP_DENIED/403 1447 GET
>>> http://www.yahoo.es/ eu\vbonafe NONE/- text/html
>>> 1271280110.274    391 172.23.5.54 TCP_MISS/200 5128 GET
>>> http://www.google.com/ -
>>> DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html
>>> 1271280110.524     63 172.23.5.54 TCP_MISS/204 494 GET
>>> http://clients1.google.com/generate_204 -
>>> DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html
>>> 1271280110.649    157 172.23.5.54 TCP_MISS/204 434 GET
>>> http://www.google.com/csi? - DIRECT/72.14.204.103 text/html
>>>
>>> We have the below acl for users in the Ad global group
>>>
>>>
>>> external_acl_type AD_global_group ttl=120 %LOGIN
>>> c:/squid/libexec/mswin_check_ad_group.exe -G
>>>
>>> and another acl below that allows full access thru the squid proxy
>>> using an ad group
>>>
>>> acl InetAllow external AD_global_group CLW.Squid.Full
>>>
>>>
>>> any ideas????
>>

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux