Dear Ones, the more I use Squid the more I realize how powerful it is.
And like all powerful software it can be complex at first.
I would like to share my settings and if possible listen (read actually) your comments and suggestions.
My goals of using squid:
- Transparent authentication of my AD users (2012R2)
- Internet access rules based on users belonging to AD groups.
- Non-authenticated clients (Win PCs) cannot navigate through the proxy.
- That the clients (Win PCs) not belonging to an AD group allowed in squid, cannot navigate through the proxy.
My test scenario:
- A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC.
- My VM is attached to my domain W2012R2 (following this post https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/) to achieve kerberos authentication transparent to the user. SElinux disabled. Owner permissions to user squid in all folders/files involved.
- squid 3.5.20 installed and working great with kerberos, NTLM and basic authentication.
squid.conf
### negotiate kerberos & ntlm authentication
auth_param negotiate program /usr/sbin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib64/squid/negotiate_kerberos_auth -r -i -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive on
### standard allowed ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
### destination domains to be blocked in a HTTP access control
acl LS_malicius dstdomain -i "/etc/squid/DBL/malicius/malicius.txt"
acl LS_remotecontrol dstdomain -i "/etc/squid/DBL/remotecontrol/remotecontrol.txt"
### LDAP group membership sources
# WEB_ACCESS_1
external_acl_type AD_WEB_ACCESS_1 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -P -R -b OU=USERS,DC=netgol,DC=local -D ldap -W "/etc/squid/ldap_pass.txt" -f (&(sAMAccountName=%u)(memberOf=cn=WEB_ACCESS_1,OU=INTERNET,OU=PERMISOS,OU=NETGOL,DC=netgol,DC=local)) -h s-dc1.netgol.local -p 3268
acl WEB_ACCESS_1 external AD_WEB_ACCESS_1 web-access-1
# WEB_ACCESS_2
external_acl_type AD_WEB_ACCESS_2 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -P -R -b OU=USERS,DC=netgol,DC=local -D ldap -W "/etc/squid/ldap_pass.txt" -f (&(sAMAccountName=%u)(memberOf=cn=WEB_ACCESS_2,OU=INTERNET,OU=PERMISOS,OU=NETGOL,DC=netgol,DC=local)) -h s-dc1.netgol.local -p 3268
acl WEB_ACCESS_2 external AD_WEB_ACCESS_2 web-access-2
# WEB_ACCESS_3
external_acl_type AD_WEB_ACCESS_3 %LOGIN /usr/lib64/squid/ext_ldap_group_acl -P -R -b OU=USERS,DC=netgol,DC=local -D ldap -W "/etc/squid/ldap_pass.txt" -f (&(sAMAccountName=%u)(memberOf=cn=WEB_ACCESS_3,OU=INTERNET,OU=PERMISOS,OU=NETGOL,DC=netgol,DC=local)) -h s-dc1.netgol.local -p 3268
acl WEB_ACCESS_3 external AD_WEB_ACCESS_3 web-access-3
### HTTP access control policies
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny WEB_ACCESS_1 LS_malicius
http_access deny WEB_ACCESS_2 LS_malicius
http_access deny WEB_ACCESS_3 LS_malicius
http_access deny WEB_ACCESS_1 LS_remotecontrol
http_access deny WEB_ACCESS_2 LS_remotecontrol
http_access allow WEB_ACCESS_1
http_access allow WEB_ACCESS_2
http_access allow WEB_ACCESS_3
http_access allow localhost
http_access deny all
### personalization ###
http_port 8080
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
read_timeout 5 minutes
request_timeout 3 minutes
half_closed_clients off
shutdown_lifetime 15 seconds
log_icp_queries off
dns_v4_first on
ipcache_size 2048
ipcache_low 90
fqdncache_size 4096
forwarded_for off
cache_mgr system@xxxxxxxxxx
visible_hostname proxy.netgol.local
httpd_suppress_version_string on
uri_whitespace strip
logfile_rotate 7
debug_options rotate=7
Any suggestion or comment will be very useful to me and I thank you in advance.
Best regards
Gabriel
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
