Re: [squid-users] Need help in integrating squid and samba

From: Avinash Rao <avinash.aol_at_gmail.com>
Date: Tue, 8 Sep 2009 13:27:19 +0530

On Tue, Sep 8, 2009 at 12:19 PM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
> Avinash Rao wrote:
>>
>> On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries<squid3_at_treenet.co.nz>
>> wrote:
>>>
>>> Avinash Rao wrote:
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: Avinash Rao <avinash.aol_at_gmail.com>
>>>> Date: Tue, Sep 8, 2009 at 11:13 AM
>>>> Subject: Re: Fwd: [squid-users] Need help in integrating squid and samba
>>>> To: Amos Jeffries <squid3_at_treenet.co.nz>
>>>> Cc: Henrik Nordstrom <henrik_at_henriknordstrom.net>,
>>>> squid-users_at_squid-cache.org
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries <squid3_at_treenet.co.nz>
>>>> wrote:
>>>>>
>>>>> Avinash Rao wrote:
>>>>>>
>>>>>> On 8/31/09, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>>>>>>
>>>>>>> Avinash Rao wrote:
>>>>>>>
>>>>>>>> On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom
>>>>>>>
>>>>>>> <henrik_at_henriknordstrom.net
>>>>>>> <mailto:henrik_at_henriknordstrom.net>> wrote:
>>>>>>>>
>>>>>>>> �s�n 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao:
>>>>>>>> �> I couldn't find any document that shows me how to enable wb_info
>>>>>>>> �for squid.
>>>>>>>> �> Can anybody help me?
>>>>>>>>
>>>>>>>> �external_acl_type NT_Group %LOGIN
>>>>>>>> �/usr/local/squid/libexec/wbinfo_group.pl
>>>>>>>>
>>>>>>>> �acl group1 external NT_Group group1
>>>>>>>>
>>>>>>>>
>>>>>>>> �then use group1 whenever you want to match users belonging to that
>>>>>>>> �Windows group.
>>>>>>>>
>>>>>>>> �Regards
>>>>>>>> �Henrik
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi Henrik,
>>>>>>>>
>>>>>>>> I have used the following in my squid.conf
>>>>>>>>
>>>>>>>> external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl
>>>>>>>
>>>>>>> group1 external NT_Group staff
>>>>>>>>
>>>>>>>> acl net time M T W T F S S 9:00-18:00
>>>>>>>> http_access allow net
>>>>>>>>
>>>>>>>> On my linux server, I have created a group called staff and made a
>>>>>>>> couple
>>>>>>>
>>>>>>> of users a member of this group called staff. My intention is to
>>>>>>> provide
>>>>>>> access to users belonging to group staff on all days from morning 9am
>>>>>>> -
>>>>>>> 7PM.
>>>>>>> The rest should be denied.
>>>>>>>>
>>>>>>>> But this didn't work, when the Samba users login from a winxp
>>>>>>>> client,
>>>>>>>> it
>>>>>>>
>>>>>>> doesn't get access to internet at all.
>>>>>>> There is no http_access lien making any use of ACL "group1"
>>>>>>>
>>>>>>> And _everybody_ (me included on this side of the Internet) is allowed
>>>>>>> to use
>>>>>>> your proxy between 9am ad 6pm.
>>>>>>>
>>>>>>>
>>>>>>> Amos
>>>>>>
>>>>>> Thanks for the reply, Ya i missed http_access allow group1
>>>>>> I didn't understand your second statement, are u telling me that i
>>>>>> should deny access to net?
>>>>>
>>>>> You should combine the ACL with others on an http_access line so that
>>>>> its
>>>>> limited to who it allows.
>>>>>
>>>>> This:
>>>>> �acl net time M T W T F S S 9:00-18:00
>>>>> �http_access allow net
>>>>>
>>>>> simply says "all requests are allowed between time X and Y".
>>>>> Without additional controls, ie on IP address making the request, �you
>>>>> end up with an open proxy.
>>>>>
>>>>> Amos
>>>>
>>>> Dear Amos,
>>>>
>>>> I am still not able to get this working. �Here's what i want to
>>>> accomplish. I have WinXP - SP2 clients logging onto the samba domain
>>>> and LTSP users. All users use squid proxy. My intention is to control
>>>> the samba users from accessing the internet at certain times.
>>>>
>>>> If i don't use the external_acl_type NT_Group as mentioned below, the
>>>> squid works properly for all users, even windows and anybody using
>>>> squid proxy.
>>>>
>>>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/
>>>> wbinfo_group.pl
>>>> acl group1 external NT_Group group1
>>>> I have created a group called staff using net rpc command and i am i
>>>> have made all the users using winxp a member of this group staff. So,
>>>> my acl will look like
>>>>
>>>> external_acl_type NT_Group %LOGIN
>>>> /usr/local/squid/libexec/wbinfo_group.pl
>>>> acl acl_name external NT_Group staff
>>>> http_access allow staff
>>>>
>>>> According to my understanding, it should allow only those samba users
>>>> which come under the group staff. But thats not happening, squid
>>>> denies access to the internet.
>>>
>>> _when tested_ it should be doing that. Other rules around it have an
>>> effect
>>> that you may have overlooked.
>>>
>>> Then again the group name is case-sensitive. The helper is OS access
>>> permission sensitive, and NTLM auth has difficulties all of its own.
>>>
>>>
>>> I'll need to see the whole access config to know whats going on. And
>>> remind
>>> me what version of Squid this is.
>>>
>>>
>>> Amos
>>
>> hi,
>>
>>
>> root_at_sunbox:/etc/squid# dpkg -l | grep squid
>> ii �squid � � � � � � � � � � � � � � � � 2.6.18-1ubuntu3
>> � � � � � � � � � � � �Internet object cache (WWW proxy cache)
>> ii �squid-common � � � � � � � � � � � � �2.6.18-1ubuntu3
>> � � � � � � � � � � � �Internet object cache (WWW proxy cache) - co
>>
>> squid.conf
>>
>> visible_hostname sunbox
>> hierarchy_stoplist cgi-bin ?
>> acl QUERY urlpath_regex cgi-bin \?
>> no_cache deny QUERY
>
> use: �cache deny QUERY
>
>> hosts_file /etc/hosts
>> http_port 10.10.10.200:3128
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern . 0 20% 4320
>>
>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
>> acl staffgroup external NT_Group staff
>>
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443 563
>> acl Safe_ports port 80 � � � � � � � �# http
>> acl Safe_ports port 21 � � � � � � � �# ftp
>> acl Safe_ports port 443 563 � � � � � # https, snews
>> acl Safe_ports port 70 � � � � � � � �# gopher
>> acl Safe_ports port 210 � � � � � � � # wais
>> acl Safe_ports port 1025-65535 � � � �# unregistered ports
>> acl Safe_ports port 280 � � � � � � � # http-mgmt
>> acl Safe_ports port 488 � � � � � � � # gss-http
>> acl Safe_ports port 591 � � � � � � � # filemaker
>> acl Safe_ports port 631 � � � � � � � # cups
>> acl Safe_ports port 777 � � � � � � � # multiling http
>> acl Safe_ports port 901 � � � � � � � # SWAT
>> acl Safe_ports port 993 � � � � � � � # IMAP
>> acl Safe_ports port 587 � � � � � � � # SMTP
>> acl Safe_ports port 22 � � � � � � � �# SSH
>> acl purge method PURGE
>> acl special_urls url_regex "/etc/squid/squid-noblock.acl"
>> acl extndeny url_regex -i "/etc/squid/blocks.files.acl"
>
> File extensions?
> �--> use urlpath_regex -i \.(mp3|exe|zip)(\?.*)?$
>
>
>> acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt"
>> acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe
>
> So "prexel.com" is a bad URL?
>
> Be VERY careful with regex matching. Avoid where possible.
>
> The mp3/mp4/exe bits can be moved to the bad extension list.
>
> The youtube and orkut stuff should be a dstdomain ACL type with a wildcard
> list of their domains: �dstdomain .youtube.com .yimg.com
>
> (I'm not sure what the full range of orkut domains are).
>
>> acl lan src 192.168.1.0 10.10.10.0/24
>> acl stud ident_regex babu
>> acl download method GET
>> acl CONNECT method CONNECT
>> cache_mem 100 MB
>> #redirect_program /usr/bin/squidGuard �c /etc/squid/squidGuard.conf
>> ident_lookup_access allow all
>> http_access allow staffgroup
>
> For testing I hope. Okay, so staffgroup should have unlimited proxy access
> form anywhere in the world. If they happen to send their login information
> to random machines (including Squid) without being asked to.
>
> I think you need to try:
>
> �acl authUsers proxy_auth REQUIRED
> �http_access deny !authUsers
> �http_access allow staffgroup
>
> You also need a set of auth_param settings to actually retrieve the login
> details. wbinfo does not work without them.
>
>
> Also, check the default user your Squid runs under is properly a member of
> the winbind group in the OS security settings.
> wbinfo requires access to the winbind data which gets dynamically created,
> so hacking around with chown does not work.
>
>> http_access allow manager localhost
>> http_access deny manager
>> http_access allow purge localhost
>> http_access allow special_urls
>> http_access deny extndeny download
>
> The above line merely doubles the server CPU load from the extndeny regex
> test.
>
> The one below does the same thing for non-"download" stuff.
>
>> http_access deny extndeny
>> http_access deny purge
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>
> Well, the two lines above really should be the first two http_access lines
> in the config. They catch a huge amount of bad requests in a very efficient
> way.
>
>> http_access deny badurl
>> http_access deny malware_block_list
>> deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list
>> http_access allow localhost
>> http_access allow lan
>> http_access deny all
>> http_reply_access allow all
>> icp_access allow all
>> coredump_dir /var/spool/squid
>>
>>
>> Thanks
>> Avinash
>
> Amos
> --
> Please be using
> �Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
> �Current Beta Squid 3.1.0.13
>

Thanks again, i will go through this and let you know the results.

Regards,
Avinash
Received on Tue Sep 08 2009 - 07:57:34 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 08 2009 - 12:00:02 MDT