|
Hai, In configuring my debian jessie with squid 3.5.24 ( with ssl
enabled ) c-icap squidclamav and winbind 4.5.5 for kerberos keytab refresing. Now, im at the point of reducing my logs and i nocited : NOTICE: Authentication not applicable on intercepted
requests. Messages in squid/cache.log I know this is some misconfiguration somewhere but im having
a hardtime to finding/understanding it. Where and why, so is anyone can help me finding and
understanding it, that would be very nice. I cant see my error and everything else is working fine, execept
i havent tested the kerberos group acl yet. So i didnt set that http_access yet. Im having the following firewall rules # Not authenticated web traffice, redirected to squid in
intercept mode. -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT
--to-destination 192.168.0.2:3128 -A PREROUTING -p tcp -i eth0 --dport 443 -j DNAT
--to-destination 192.168.0.2:3129 Port 8080 is also open. Web traffic for pc’s which are domain joint have set the
proxy by GPO to hostname.domain.tld port 8080 Web traffic for other devices dont need to authenticate. WPAD and DNS wpad is also set. Below is mostly from the updated wiki pages. A big thank you to Amos Victor and others who changed the
pages, looks good. I have some small changed for a pure debian based setup with
samba4 as addc and winbind for the squid member server. This is my squid config. # Created from a running squid version : 3.5.24 # Running os : Debian GNU/Linux 8 (jessie) # Creation date: 2017-02-15 auth_param negotiate program
/usr/lib/squid/negotiate_wrapper_auth --kerberos
/usr/lib/squid/negotiate_kerberos_auth -s
HTTP/proxy2.internal.domain.tld@xxxxxxxxxxxxxxxxxxx --ntlm /usr/bin/ntlm_auth
--helper-protocol=gss-spnego --domain=NTDOM auth_param negotiate children 10 startup=5 idle=5 auth_param negotiate keep_alive on external_acl_type memberof ttl=3600 negative_ttl=3600 %LOGIN
/usr/lib/squid3/ext_kerberos_ldap_group_acl -d -i -m 4 -g internet-allowed@xxxxxxxxxxxxxxxxxxx
-N NTDOM@xxxxxxxxxxxxxxxxxxx -S dc1.internal.domain.tld@xxxxxxxxxxxxxxxxxxx -D
INTERNAL.DOMAIN.TLD acl authenticated proxy_auth REQUIRED acl certificates rep_mime_type -i ^application/pkix-crl$ acl windows-updates dstdomain
"/etc/squid/lists/updates-windows" acl antivirus-updates dstdomain
"/etc/squid/lists/updates-antivirus" acl localnet src fc00::/7 # RFC 4193 local private
network range acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines acl localnet src 192.168.249.0/24 # Company-1 acl localnet src 10.249.2.0/24 # Company-2 acl localnet src 10.249.3.0/24 # Company-3 acl localnet src 10.249.4.0/24 # Company-4 acl localnet src 10.249.5.0/24 # Company-5 acl SSL_ports port 443 # https acl SSL_ports port 3952 # CIC client acl SSL_ports port 10443 # https Cisco 5506x acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 3952 # CIC client acl Safe_ports port 10443 # https Cisco 5506x acl CONNECT method CONNECT ## Added : Advertising Server Block List merge from YoYo.org
and Host-file.net acl block-asbl dstdomain
"/etc/squid/lists/block-asbl-merged-dstdomain" http_access deny block-asbl acl google_recaptcha urlpath_regex ^\/recaptcha\/api.js http_access allow google_recaptcha acl NO-CACHE-SITES url_regex
"/etc/squid/lists/no-cache-sites" no_cache deny NO-CACHE-SITES always_direct allow NO-CACHE-SITES cache deny NO-CACHE-SITES # http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny to_localhost ## allow before auth so all pc's get the needed updates http_access allow windows-updates http_access allow antivirus-updates http_access allow authenticated http_access allow localnet http_access allow localhost http_access deny all http_port 192.168.249.222:3128 intercept connection-auth=off https_port 192.168.249.222:3129 intercept
connection-auth=off ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/ssl/local/CAcert.pem options=NO_SSLv3 key=/etc/ssl/local/CAkey.pem http_port 192.168.249.222:8080 ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/ssl/local/CAcert.pem options=NO_SSLv3 key=/etc/ssl/local/CAkey.pem sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db
-M 8MB acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS cache_mem 4096 MB coredump_dir /var/spool/squid ftp_user anonymousftp@xxxxxxxxxx # refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf)
43200 80% 129600 reload-into-ims refresh_pattern -i
microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80%
129600 reload-into-ims refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf)
43200 80% 129600 reload-into-ims refresh_pattern -i
microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf)
43200 80% 129600 reload-into-ims refresh_pattern -i
deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf)
43200 80% 129600 reload-into-ims ## todo, make this list more complete, see icap excludes refresh_pattern -i
\.symantecliveupdate\.com\/.*\.(zip|7z|irn|[m|x][0-9][0-9]) 4320
100% 43200 reload-into-ims refresh_pattern -i
.*dnl.*\.geo\.kaspersky\.(com|ru)\/.*\.(zip|avc|kdc|nhg|klz|d[at|if])
4320 100% 43200 reload-into-ims refresh_pattern -i
\.kaspersky-labs\.(com|ru)\/.*\.(cab|zip|exe|ms[i|p]) 4320 100%
43200 reload-into-ims refresh_pattern -i
\.kaspersky\.(com|ru)\/.*\.(cab|zip|exe|ms[i|p]|avc) 4320 100% 43200
reload-into-ims refresh_pattern -i .update\.geo\.drweb\.com 4320
100% 43200 reload-into-ims refresh_pattern -i \.avast.com\/.*\.(vp[u|aa]) 4320
100% 43200 reload-into-ims refresh_pattern -i \.avg.com\/.*\.(bin) 4320
100% 43200 reload-into-ims ## todo, add .deb files caching refresh_pattern
^(ht|f)tp://.*debian.*/Packages\.(bz2|gz|diff/Index)$ 0 0% 0 refresh_pattern ^(ht|f)tp://.*debian.*/Release(\.gpg)?$
0 0% 0 refresh_pattern
^(ht|f)tp://.*debian.*/Sources\.(bz2|gz|diff/Index)$ 0 0% 0 refresh_pattern
^(ht|f)tp://.*debian.*/Translation-en_GB\.bz2)$ 0 0% 0 ## The defaults as last. refresh_pattern -i
\.(zip|[g|b]z2?|exe|ms[i|p]|cvd|cdiff|mar)$ 43200 100% 129600
reload-into-ims refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_mgr changed2protectme@xxxxxxxxxxxxxx mail_from proxy2@xxxxxxxxxxxxxxxxxxx visible_hostname proxy2.internal.domain.tld hostname_aliases proxy2.internal.domain.tld httpd_suppress_version_string on icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Authenticated-User icap_persistent_connections on icap_preview_enable on icap_preview_size 1024 icap_service service_req reqmod_precache
icap://127.0.0.1:1344/squidclamav bypass=off adaptation_access service_req allow all icap_service service_resp respmod_precache
icap://127.0.0.1:1344/squidclamav bypass=off adaptation_access service_resp allow all dns_v4_first on maximum_object_size 4096 KB minimum_object_size 0 KB maximum_object_size_in_memory 64 KB cache_mem 256 MB quick_abort_min -1 KB fqdncache_size 4096 cache_swap_low 90 cache_swap_high 95 |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
