Hello! Thanks for your input. Remember: This is still a test environment. Never the less i very much appreciate your answer. Lets do it one by one. -> this was never meant to be a tutorial. I just send this because such an info would have saved me some time and as i didn`t find any information on eDir/Ldap/Squid auth i just thought it would be nice to post some infos, never meant to be a perfect solution to copy. Skipping 1-2 things you mentioned, the next thing to answer would be the "bypass=off" info you gave. -> Thanks for this, i also found that, and did a correction on this. The securityrules in the config, that are ignored... -> This is because of the whole testing i did here. These are leftovers from the standard config comming with the installation. Your comment an SquidGuard an HTTPS. -> It is right, that SquidGuard is blocking HTTPS by this config. So the questions are two: 1.) What other to user than SquidGuard ? 2.) or how to deal with HTTPS ? Because of the clear-text credatials: -> what would be your alternative in this environment ? Thanks for your time ! Björn On 21/12/2016 11:24 p.m., bjoern wahl wrote: > Hello! > > Just for those who would like to have a: > > Squid with Ldap user auth on an eDirectory with an ecap (watch out ! It > is not i-cap!) virus check and squidGuard for blacklisting. > > One think not working for me so far is the redirect to a virus info site > if ecap/clamd did find a virus. By now the user is informed that the > access was "denied" but not why. A thing i do not like with this setup > right now. (still working on this!) You have missed out the most important part of this tutorial... Where to get the eCAP adapter. > > The working squid.conf looks like this: > > ================================================================= > cache_mgr xxx@xxxxxxx > http_port IPADDRESSOFSERVER:3128 Or just use the default "http_port 3128" config line provided. If you hard-code IP addresses unnecessarily into configs you just make yourself do extra work maintaining them. > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl localnet src fc00::/7 # RFC 4193 local private network range > acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) > machines > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > auth_param basic program /usr/lib64/squid/basic_ldap_auth -b o=XXXX -h > IPOFEDIRSERVER -D cn=XXX,o=XXX -w PASSWORDOFUSER -f > "(&(objectclass=User)(cn=%s))" > auth_param basic children 5 > auth_param basic realm WHATEVER-YOU-LIKE-TO-TELL-THE-USER > auth_param basic credentialsttl 2 hours > ecap_enable on > loadable_modules /usr/local/lib/ecap_clamav_adapter.so > ecap_service clamav_service_req reqmod_precache > uri=ecap://e-cap.org/ecap/services/clamav?mode=REQMOD bypass=off > ecap_service clamav_service_resp respmod_precache > uri=ecap://e-cap.org/ecap/services/clamav?mode=RESPMOD bypass=on Since bypass=on if the eCAP service has any error. (Such as finding a virus perhapse?) The eCAP adapter will stop being used for some minutes. If you want scanners like this to filter all traffic you need to set bypass=off and fix any/every-thing that causes service outages. > adaptation_access clamav_service_req allow all > adaptation_access clamav_service_resp allow all > acl ediruse r proxy_auth REQUIRED > http_access allow ediruser > http_acbypass them completely for all traffic? The http_access lines above this should all be down ... > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost manager > http_access deny manager ... here. At which point you will find yourself looking at two "deny all" rules in a row. Do the obvious to fix that. > http_access deny all > http_port 3128 > coredump_dir /var/spool/squid > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf > url_rewrite_children 15 > url_rewrite_access allow all Which is the default setting for "url_rewrite_access" directive. And BTW, SquidGuard cannot cope with many HTTP extension request methods in modern traffic. You will at the very least have to prevent it seeing the CONNECT messages. You should then realize that any users doing HTTPS can easily bypass your SG URL mangling "control". If you are lucky right now SG will be "blocking" HTTPS by breaking the Squid transaction on each attempt to use it. Otherwise what this config actually does is cause clients to send their user credentials in clear-text across the network, while possibly letting any client that can see and re-use anothers users credentials create tunnels through the proxy. Hackers paradise. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users Träger: Klinikum Westmünsterland GmbH Jur. Sitz der Gesellschaft: Am Boltenhof 7, 46325 Borken Registergericht Coesfeld, HRB Nr. 4184 I Ust.-Id.Nr.: DE123762133 Geschäftsführer: Christoph Bröcker, Ludger Hellmann (Sprecher) Aufsichtsratsvorsitzender: Jürgen Büngeler Diese E-Mail enthält vertrauliche oder rechtlich geschützte Informationen. Wenn Sie nicht der beabsichtigte Empfänger sind, informieren Sie bitte sofort den Absender und löschen Sie diese E-Mail. Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der enthaltenen Informationen ist nicht gestattet. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
