Am 17. September 2018 20:38:06 MESZ schrieb Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On 18/09/18 3:37 AM, Service MV wrote:Dear Ones, I draw on your experience in seeking help to determine
whether or not it is possible to achieve the configuration I am looking
for, due to a strange error I am having.
FYI: SquidGuard has not been maintained for many years now.
I recommend you convert as many of your filtering rules as you can into
normal Squid ACLs. Traffic which is being blocked for simple reasons can
be done much more efficiently by Squid than a helper.
You can use the more up-to-date ufdbguard helper as a drop-in
replacement for squidguard during the conversion....
Before commenting on the bug I describe my testing environment:
- A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC.
- My VM is attached to my domain W2012R2 (following this post
https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/)
to achieve kerberos authentication transparent to the user. SElinux
disabled. Owner permissions to user squid in all folders/files involved.
- squid 3.5.20 installed and working great with kerberos, NTLM and basic
authentication. All authentication mechanisms tested and working great.
- SquidGuard: 1.4 Berkeley DB 5.3.21 installed and working great with
blacklists and acl default.
My problem starts when I try to use source acl using ldapusersearch in
squidGuard...
systemctl status squid:
(squid-1)[12627]: The redirector helpers are crashing too rapidly, need
help!
*squidGuard.conf*
dbhome /etc/squid/db
logdir /var/log/squidGuard
ldapbinddn
CN=ldap,OU=SERVICIOS,OU=SISTEMAS,OU=CANAL,OU=MYCOMPANY,DC=mydomain,DC=local
ldapbindpass myULTRAsecretPASS
ldapprotover 3
src WEB_BASIC {
ldapusersearch
ldap://dc-1.mydomain.local:3268/dc=mydomain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=WEB_BASIC%2cou=INTERNET%2cou=PERMISOS%2cou=MYCOMPANY%2cdc=mydomain%2cdc=local))
log block.log
}
...
acl {
WEB_BASIC{
pass whitelist !BL_porn !blacklist all
redirect
http://s-server1.mydomain.local/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=""> log block.log
}
*squid.conf*
acl localnet src 10.10.8.0/22 # LAN net
acl dmz src 192.168.20.0/27 # DMZ net
These ACLs are never used dues to what you are doing with the "auth" ACL.
...
### acl for proxy authentication (kerberos or ntlm) and ldap authorizations
acl auth proxy_auth REQUIRED
# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
These have nothing to do with redirects and are never used.
### enforce authentication
http_access allow auth
http_access deny !auth
All possible traffic will match either "auth" or "!auth" above.
That means no http_access rules following this point do anything.### standard access rules
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
Your custom http_access rules (eg the auth checks) should be down here
so the basic security rules above have a chance to protect your proxy
again DoS, traffic smuggling attacks etc. before more complicated and
resource consuming things happen.http_access allow localnet
http_access allow dmz
http_access allow localhost
http_access deny all
...visible_hostname eren
The hostname needs to be a FQDN. It is delivered to clients in URLs
generated by Squid so they can fetch objects directly from the proxy.
FYI: Squid-3 should be able to automatically locate the hostname of the
machine it is running on. If that is not working then you need to fix
your machine, other software will be using the same mechanism and
likewise be encountering problems.httpd_suppress_version_string on
uri_whitespace strip
## squidGuard ##
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 10 startup=5 idle=1 concurrency=0
url_rewrite_bypass off
Your traffic in your access.log is all CONNECT requests. Those messages
cannot be re-written by SquidGuard. So at the very least you require
this config line:
url_rewrite_access deny CONNECT
.. at this point you may notice your SG rules have no effect. This is
one of many reasons why you should do access control in the proxy
config, not externally in a complicated and slow helper.
*messages*
Sep 17 11:13:07 proxy kernel: squidGuard[12552]: segfault at
ffffffffd7706bb0 ip 00007fdbf2052e70 sp 00007fffd1b73c70 error 5 in
libldap-2.4.so.2.10.7[7fdbf2027000+52000]
Sep 17 11:13:07 proxy kernel: squidGuard[12553]: segfault at
ffffffffa3d27bb0 ip 00007fd79b787e70 sp 00007ffe47e9b880 error 5 in
libldap-2.4.so.2.10.7[7fd79b75c000+52000]
...
If I disable src and acl WEB_BASIC I have no problem. The default acl
does its thing without problems.
But when I enable src and acl WEB_BASIC squidGuard explodes and squid
restarts so I get to notice.
I see an error in a libldap library... Will it be a library error? Or am
I misconfiguring my squid ?
It is not a Squid error. It is something in SquidGuard and/or the library.
Amos
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
