On 2019-05-17 05:36, Rafael Silva Daniel wrote:
http_port 3128
dns_nameservers XXXXXXX
visible_hostname proxy
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
strip_query_terms off
err_html_text /usr/share/squid-langpack/pt-br/
The above directive has not been supported since Squid-3.1. Please
remove.
You seem to be wanting that pt-br to be your default error page
language?
If that is correct, then use this instead:
error_default_language pt-br
url_rewrite_program /usr/bin/squidGuard
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=FAPEMIG
auth_param ntlm children 100
auth_param ntlm keep_alive off
external_acl_type NT_global_group %LOGIN
/usr/lib/squid/ext_wbinfo_group_acl
acl SSL_ports port 443
acl SSL_ports port 8443
acl Safe_ports port 80 # http
acl Safe_ports port 90 # metodo
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080 # CNPq
acl Safe_ports port 3342 #
8080 and 3342 are already part of the 1024-65535 range. You can remove
them from the above list.
acl CONNECT method CONNECT
acl auth proxy_auth REQUIRED
acl users external NT_global_group "/etc/squid/fapgrp"
http_access deny !Safe_ports
http_access allow CONNECT
Here is the problem, exactly as suspected. The above line is supposed to
be:
http_access deny CONNECT !SSL_Ports
After this change alone you will find that HTTPS is only accessible to
users once they login.
If you then find out some CONNECT tunnels need to go to any other ports,
then you can add those numbers to the SSL_Ports list.
Just be careful and investigate whether that is a real need first due to
how CONNECT lets arbitrary traffic through the proxy.
http_access allow localhost manager
http_access deny manager
http_access allow localhost
NP: traffic from localhost (127.0.0.1/8 or [::1]/128 IP ranges) will not
be logged with a username.
http_access deny !users
http_access allow users
http_access deny !auth
http_access allow auth
"allow users" is redundant with "allow auth". And users test relies on
auth having already happened.
I would reorder these few lines to be:
http_access deny !auth
http_access deny !users
http_access allow auth
That removes several helper lookups from being needed. Which gives a
small performance gain.
NTLM is still the worst cause of delays with this whole setup though.
what do you think? if theres a simpler way to get the AD users of the
people
browsing i would use that too,
I recommend you start looking into Kerberos authentication against AD.
While its not exactly simpler for admin, it is a huge performance boost
and security improvement.
Microsoft also officially deprecated NTLM in 2006 and been formally
removing support from their software since Vista.
So there is future-proofing the network security system as another gain.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
