[squid-users] $20 in your PayPal account if you help me fix this

From: cosmo kramer <[email protected]>
Date: Mon, 26 Feb 2007 15:01:11 -0800 (PST)

$20 in your PayPal account if you help me fix this, $5
if I feel that you made a contribution to the answer
but didn’t fix it (a la experts-exchange.com)

The goal: Set up Squid to only allow authenticated
users certain sites (all whitelists, no black lists
involved).

The situation: I am attempting to get Squid up and
going, but am having issues with some sites that are
in *no* whitelist getting through. I am trying to get
it where nothing comes through except what I dictate
through whitelists per what GPO you are in.

The setup: Squid 2.6.STABLE9 running on a Windows XP
Pro box, authenticating to a Windows 2000/2003 domain.
Before you start typing what a bad idea it is to do
this on Windows, save your breath, I know.
Unfortunately, I don't write the business rules, so
work with what you got (at least I am not trying to
use an ISA server, right? ;).

The facts: Because I am testing, I have a very simple
setup currently. There are only two groups in AD
(group_proxy_a and group_proxy_b), one user in each of
those groups (proxy_a and proxy_b, respectively), and
two white lists (proxy_a_sites.txt and
proxy_b_sites.txt). I am authenticating into the
Windows domain and the groups using the
mswin_ntlm_auth and mswin_check_lm_group executables
which apparently works fine (if you look at the logs,
it pulls the users DOMAIN\login information correctly,
and if the site is on the whitelist, it comes through
fine). Where I am stumped is how sites like
addidas.com and nike.com are allowed (again, no
existence of them on either of the whitelists), but
other stuff (like newbalance.com) is denied. I would
guess that 80-85% of sites are stopped from the
testing I have done, letting in 15-20% of stuff it
shouldn't.

  Here are some configs:
    
  ##########################
  # squid.conf #
  ##########################
    

auth_param ntlm program
c:/squid/libexec/mswin_ntlm_auth.exe
auth_param ntlm children 5
auth_param ntlm keep_alive on

...

external_acl_type win_domain_group ttl=300 %LOGIN
c:/squid/libexec/mswin_check_lm_group.exe -G

...

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
## acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
## acl Safe_ports port 70 # gopher
## acl Safe_ports port 210 # wais
## acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
## acl Safe_ports port 591 # filemaker
## acl Safe_ports port 777 # multiling http acl
CONNECT method CONNECT
    
acl localnet proxy_auth REQUIRED src
xxx.xxx.xxx.xxx/16
acl proxy_a_users external win_domain_group
group_proxy_a acl proxy_a_sites dstdom_regex [-i]
"c:/squid/lists/proxy_a_sites.txt"
acl proxy_b_users external win_domain_group
group_proxy_b acl proxy_b_sites dstdom_regex [-i]
"c:/squid/lists/proxy_b_sites.txt"
    
http_access allow proxy_a_users proxy_a_sites
http_access allow proxy_b_users proxy_b_sites
http_access deny all
    
    
  ###############################
  # proxy_a_sites.txt #
  ###############################
    
.yahoo.com
.lycos.com
.google.com
.altavista.com
.ask.com
    
    
  ###############################
  # proxy_b_sites.txt #
  ###############################
   
.toyota.com
.honda.com
.nissan.com
.gm.com
.chevy.com
.ford.com

    
  ###############################
  # snippet from access.log #
  ###############################

1172528486.507 0 10.1.5.47 TCP_DENIED/407 1767
GET http://www.chevy.com/ - NONE/- text/html
1172528486.522 15 10.1.5.47 TCP_DENIED/407 1989
GET http://www.chevy.com/ - NONE/- text/html
1172528490.162 3640 10.1.5.47 TCP_MISS/302 352 GET
http://www.chevy.com/ DOMAIN\proxy_b
DIRECT/170.224.60.166 text/html
1172528490.178 16 10.1.5.47 TCP_DENIED/403 1467
GET http://www.chevrolet.com/ DOMAIN\proxy_b NONE/-
text/html
1172528500.816 0 10.1.5.47 TCP_DENIED/407 1767
GET http://www.honda.com/ - NONE/- text/html
1172528500.816 0 10.1.5.47 TCP_DENIED/407 1989
GET http://www.honda.com/ - NONE/- text/html
1172528504.566 0 10.1.5.47 TCP_DENIED/407 1809
GET http://www.honda.com/js/rollover.js - NONE/-
text/html
1172528504.581 0 10.1.5.47 TCP_DENIED/407 2031
GET http://www.honda.com/js/rollover.js - NONE/-
text/html
1172528504.628 0 10.1.5.47 TCP_DENIED/407 1803
GET http://www.honda.com/css/main.css - NONE/-
text/html
1172528504.644 0 10.1.5.47 TCP_DENIED/407 1809
GET http://www.honda.com/css/popups.css - NONE/-
text/html
1172528504.706 78 10.1.5.47 TCP_DENIED/407 2025
GET http://www.honda.com/css/main.css - NONE/-
text/html
1172528504.706 0 10.1.5.47 TCP_DENIED/407 1767
CONNECT urs.microsoft.com:443 - NONE/- text/html
1172528504.706 0 10.1.5.47 TCP_DENIED/407 2031
GET http://www.honda.com/css/popups.css - NONE/-
text/html
1172528504.737 15 10.1.5.47 TCP_DENIED/407 1989
CONNECT urs.microsoft.com:443 - NONE/- text/html
1172528505.112 4296 10.1.5.47 TCP_MISS/200 22036 GET
http://www.honda.com/ DOMAIN\proxy_b
DIRECT/164.109.25.248 text/html
1172528505.253 672 10.1.5.47 TCP_MISS/200 2131 GET
http://www.honda.com/js/rollover.js DOMAIN\proxy_b
DIRECT/164.109.25.248 application/x-javascript
1172528505.394 672 10.1.5.47 TCP_MISS/200 2405 GET
http://www.honda.com/css/popups.css DOMAIN\proxy_b
DIRECT/164.109.25.248 text/css
1172528505.487 781 10.1.5.47 TCP_MISS/200 4252 GET
http://www.honda.com/css/main.css DOMAIN\proxy_b
DIRECT/164.109.25.248 text/css
1172528505.722 219 10.1.5.47 TCP_MISS/200 4376 GET
http://www.honda.com/js/PopUps.js DOMAIN\proxy_b
DIRECT/164.109.25.248 application/x-javascript
1172528505.987 265 10.1.5.47 TCP_MISS/200 843 GET
http://www.honda.com/js/SpringBoard.js DOMAIN\proxy_b
DIRECT/164.109.25.248 application/x-javascript
1172528505.987 1250 10.1.5.47 TCP_MISS/200 6159
CONNECT urs.microsoft.com:443 DOMAIN\proxy_b
DIRECT/65.55.195.253 -
1172528506.300 313 10.1.5.47 TCP_MISS/200 2651 GET
http://www.honda.com/images/logo.gif DOMAIN\proxy_b
DIRECT/164.109.25.248 image/gif
1172528506.331 250 10.1.5.47 TCP_MISS/200 2159 GET
http://www.honda.com/images/1.jpg DOMAIN\proxy_b
DIRECT/164.109.25.248 image/jpeg
1172528506.409 328 10.1.5.47 TCP_MISS/200 2160 GET
http://www.honda.com/images/2.jpg DOMAIN\proxy_b
DIRECT/164.109.25.248 image/jpeg
1172528506.409 328 10.1.5.47 TCP_MISS/200 2206 GET
http://www.honda.com/images/3.jpg DOMAIN\proxy_b
DIRECT/164.109.25.248 image/jpeg
1172528506.659 359 10.1.5.47 TCP_MISS/200 3382 GET
http://www.honda.com/slideshow.aspx DOMAIN\proxy_b
DIRECT/164.109.25.248 text/html
1172528506.737 406 10.1.5.47 TCP_MISS/200 2442 GET
http://www.honda.com/images/7.jpg DOMAIN\proxy_b
DIRECT/164.109.25.248 image/jpeg

....

1172529009.234 671 10.1.5.47 TCP_MISS/200 1473 GET
http://www.acura.com/main_body.aspx? DOMAIN\proxy_b
DIRECT/71.19.198.53 text/html
1172529009.250 1140 10.1.5.47 TCP_MISS/200 732 GET
http://www.acura.com/images/nt/ntpagetag.gif?
DOMAIN\proxy_b DIRECT/71.19.198.53 image/gif
1172529009.359 109 10.1.5.47 TCP_HIT/206 8105 GET
http://www.acura.com/sharedLibrary.swf DOMAIN\proxy_b
NONE/- application/x-shockwave-flash
1172529009.391 813 10.1.5.47 TCP_MISS/200 1333 GET
http://www.acura.com/control.aspx? DOMAIN\proxy_b
DIRECT/71.19.198.53 text/html
1172529010.234 843 10.1.5.47 TCP_MISS/200 36891 GET
http://www.acura.com/main.swf DOMAIN\proxy_b
DIRECT/71.19.198.53 application/x-shockwave-flash
1172529012.109 1875 10.1.5.47 TCP_MISS/200 35666 GET
http://www.acura.com/acuracodelibrary.swf
DOMAIN\proxy_b DIRECT/71.19.198.53
application/x-shockwave-flash
1172529014.108 2187 10.1.5.47 TCP_MISS/200 31279 GET
http://www.acura.com/genexcodelibrary.swf
DOMAIN\proxy_b DIRECT/71.19.198.53
application/x-shockwave-flash
1172529014.921 813 10.1.5.47 TCP_MISS/200 15895 GET
http://www.acura.com/director.aspx? DOMAIN\proxy_b
DIRECT/71.19.198.53 text/xml
1172529019.232 4311 10.1.5.47 TCP_MISS/200 128627
GET http://www.acura.com/nav.swf DOMAIN\proxy_b
DIRECT/71.19.198.53 application/x-shockwave-flash
1172529020.529 0 10.1.5.47 TCP_DENIED/407 2010
GET
http://ad.doubleclick.net/activity;src=1167695;type=regio401;cat=acura178;ord=1;num=3917520371031.129?
- NONE/- text/html
1172529020.529 0 10.1.5.47 TCP_DENIED/407 1833
GET http://leadback.advertising.com/adcedge/lb? -
NONE/- text/html
1172529020.545 0 10.1.5.47 TCP_DENIED/407 2055
GET http://leadback.advertising.com/adcedge/lb? -
NONE/- text/html
1172529020.685 812 10.1.5.47 TCP_MISS/200 623 GET
http://www.acura.com/tracking.html? DOMAIN\proxy_b
DIRECT/71.19.198.53 text/html
1172529020.795 0 10.1.5.47 TCP_DENIED/407 1791
GET http://www.acura.com/home.swf - NONE/- text/html
1172529020.810 15 10.1.5.47 TCP_DENIED/407 2013
GET http://www.acura.com/home.swf - NONE/- text/html
1172529021.310 765 10.1.5.47 TCP_MISS/200 613 GET
http://leadback.advertising.com/adcedge/lb?
DOMAIN\proxy_b DIRECT/204.0.99.194 image/gif
1172529021.654 844 10.1.5.47 TCP_MISS/200 35841 GET
http://www.acura.com/home.swf DOMAIN\proxy_b
DIRECT/71.19.198.53 application/x-shockwave-flash
1172529022.154 156 10.1.5.47 TCP_DENIED/403 1459
GET http://www.lycos.com/ DOMAIN\proxy_b NONE/-
text/html
1172529022.201 547 10.1.5.47 TCP_MISS/200 39536 GET
http://www.acura.com/content/Home/RDX.jpg
DOMAIN\proxy_b DIRECT/71.19.198.53 image/jpeg
1172529022.404 0 10.1.5.47 TCP_DENIED/407 1767
CONNECT urs.microsoft.com:443 - NONE/- text/html
1172529022.419 15 10.1.5.47 TCP_DENIED/407 1989
CONNECT urs.microsoft.com:443 - NONE/- text/html
1172529022.435 0 10.1.5.47 TCP_DENIED/407 1767
CONNECT urs.microsoft.com:443 - NONE/- text/html
1172529022.451 16 10.1.5.47 TCP_DENIED/407 1989
CONNECT urs.microsoft.com:443 - NONE/- text/html
1172529024.231 1812 10.1.5.47 TCP_MISS/200 6157
CONNECT urs.microsoft.com:443 DOMAIN\proxy_b
DIRECT/65.54.225.125 -
1172529024.356 1905 10.1.5.47 TCP_MISS/200 6157
CONNECT urs.microsoft.com:443 DOMAIN\proxy_b
DIRECT/65.54.225.125 -
1172529028.137 0 10.1.5.47 TCP_DENIED/403 1461
GET http://www.google.com/ DOMAIN\proxy_b NONE/-
text/html
1172529028.278 0 10.1.5.47 TCP_DENIED/407 1806
GET http://g.microsoft.com/_0sfdata/1? - NONE/-
text/html
1172529028.293 0 10.1.5.47 TCP_DENIED/407 2028
GET http://g.microsoft.com/_0sfdata/1? - NONE/-
text/html
1172529028.606 313 10.1.5.47 TCP_MISS/204 456 GET
http://g.microsoft.com/_0sfdata/1? DOMAIN\proxy_b
DIRECT/207.68.179.219 -
1172529044.134 4171 10.1.5.47 TCP_MISS/304 528 GET
http://www.nike.com/ DOMAIN\proxy_b
DIRECT/72.246.32.212 -
1172529044.603 469 10.1.5.47 TCP_MISS/200 3761 GET
http://www.nike.com/index.jhtml DOMAIN\proxy_b
DIRECT/72.246.32.212 text/html
1172529045.415 0 10.1.5.47 TCP_DENIED/407 1788
CONNECT secure-niketown.nike.com:443 - NONE/-
text/html
1172529045.431 0 10.1.5.47 TCP_DENIED/407 2010
CONNECT secure-niketown.nike.com:443 - NONE/-
text/html
1172529054.757 1703 10.1.5.47 TCP_MISS/302 1017 GET
http://www.adidas.com/ DOMAIN\proxy_b
DIRECT/63.209.213.55 text/html
1172529055.022 265 10.1.5.47 TCP_MISS/302 641 GET
http://www.adidas.com/us/ DOMAIN\proxy_b
DIRECT/63.209.213.55 text/html
1172529055.835 813 10.1.5.47 TCP_MISS/200 3475 GET
http://www.adidas.com/us/shared/brandselector.asp
DOMAIN\proxy_b DIRECT/63.209.213.55 text/html
1172529056.053 0 10.1.5.47 TCP_DENIED/407 1800
GET http://ehg-adidas.hitbox.com/HG? - NONE/-
text/html
1172529056.069 16 10.1.5.47 TCP_DENIED/407 2022
GET http://ehg-adidas.hitbox.com/HG? - NONE/-
text/html
1172529056.272 437 10.1.5.47 TCP_REFRESH_HIT/200
41281 GET
http://www.adidas.com/us/images/Brand_Selector/Q2_07_Wtennis.jpg
DOMAIN\proxy_b DIRECT/63.209.213.55 image/jpeg
1172529056.881 812 10.1.5.47 TCP_MISS/200 1361 GET
http://ehg-adidas.hitbox.com/HG? DOMAIN\proxy_b
DIRECT/64.154.81.197 image/gif
1172529103.966 718 10.1.5.47 TCP_DENIED/403 1469
GET http://www.newbalance.com/ DOMAIN\proxy_b NONE/-
text/html
1172529110.871 65440 10.1.5.47 TCP_MISS/200 8199
CONNECT secure-niketown.nike.com:443 DOMAIN\proxy_b
DIRECT/72.246.32.76 -
    

As you can see, it seems to allow sites like
honda.com, acura.com, etc. (which it should), but why
is it allowing adidas.com and nike.com? If I need to
provide any more information, configs, etc., let me
know.

Thanks for any help, I appreciate it.

 
____________________________________________________________________________________
8:00? 8:25? 8:40? Find a flick in no time
with the Yahoo! Search movie showtime shortcut.
http://tools.search.yahoo.com/shortcuts/#news
Received on Mon Feb 26 2007 - 16:01:21 MST

This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST