Re: [squid-users] Need help in integrating squid and samba

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 08 Sep 2009 18:49:37 +1200

Avinash Rao wrote:
> On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
>> Avinash Rao wrote:
>>> ---------- Forwarded message ----------
>>> From: Avinash Rao <avinash.aol_at_gmail.com>
>>> Date: Tue, Sep 8, 2009 at 11:13 AM
>>> Subject: Re: Fwd: [squid-users] Need help in integrating squid and samba
>>> To: Amos Jeffries <squid3_at_treenet.co.nz>
>>> Cc: Henrik Nordstrom <henrik_at_henriknordstrom.net>,
>>> squid-users_at_squid-cache.org
>>>
>>>
>>>
>>>
>>> On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries <squid3_at_treenet.co.nz>
>>> wrote:
>>>> Avinash Rao wrote:
>>>>> On 8/31/09, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>>>>> Avinash Rao wrote:
>>>>>>
>>>>>>> On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom
>>>>>> <henrik_at_henriknordstrom.net
>>>>>> <mailto:henrik_at_henriknordstrom.net>> wrote:
>>>>>>> sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao:
>>>>>>> > I couldn't find any document that shows me how to enable wb_info
>>>>>>> for squid.
>>>>>>> > Can anybody help me?
>>>>>>>
>>>>>>> external_acl_type NT_Group %LOGIN
>>>>>>> /usr/local/squid/libexec/wbinfo_group.pl
>>>>>>>
>>>>>>> acl group1 external NT_Group group1
>>>>>>>
>>>>>>>
>>>>>>> then use group1 whenever you want to match users belonging to that
>>>>>>> Windows group.
>>>>>>>
>>>>>>> Regards
>>>>>>> Henrik
>>>>>>>
>>>>>>>
>>>>>>> Hi Henrik,
>>>>>>>
>>>>>>> I have used the following in my squid.conf
>>>>>>>
>>>>>>> external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl
>>>>>> group1 external NT_Group staff
>>>>>>> acl net time M T W T F S S 9:00-18:00
>>>>>>> http_access allow net
>>>>>>>
>>>>>>> On my linux server, I have created a group called staff and made a
>>>>>>> couple
>>>>>> of users a member of this group called staff. My intention is to
>>>>>> provide
>>>>>> access to users belonging to group staff on all days from morning 9am -
>>>>>> 7PM.
>>>>>> The rest should be denied.
>>>>>>> But this didn't work, when the Samba users login from a winxp client,
>>>>>>> it
>>>>>> doesn't get access to internet at all.
>>>>>> There is no http_access lien making any use of ACL "group1"
>>>>>>
>>>>>> And _everybody_ (me included on this side of the Internet) is allowed
>>>>>> to use
>>>>>> your proxy between 9am ad 6pm.
>>>>>>
>>>>>>
>>>>>> Amos
>>>>> Thanks for the reply, Ya i missed http_access allow group1
>>>>> I didn't understand your second statement, are u telling me that i
>>>>> should deny access to net?
>>>> You should combine the ACL with others on an http_access line so that its
>>>> limited to who it allows.
>>>>
>>>> This:
>>>> acl net time M T W T F S S 9:00-18:00
>>>> http_access allow net
>>>>
>>>> simply says "all requests are allowed between time X and Y".
>>>> Without additional controls, ie on IP address making the request, you
>>>> end up with an open proxy.
>>>>
>>>> Amos
>>> Dear Amos,
>>>
>>> I am still not able to get this working. Here's what i want to
>>> accomplish. I have WinXP - SP2 clients logging onto the samba domain
>>> and LTSP users. All users use squid proxy. My intention is to control
>>> the samba users from accessing the internet at certain times.
>>>
>>> If i don't use the external_acl_type NT_Group as mentioned below, the
>>> squid works properly for all users, even windows and anybody using
>>> squid proxy.
>>>
>>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/
>>> wbinfo_group.pl
>>> acl group1 external NT_Group group1
>>> I have created a group called staff using net rpc command and i am i
>>> have made all the users using winxp a member of this group staff. So,
>>> my acl will look like
>>>
>>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
>>> acl acl_name external NT_Group staff
>>> http_access allow staff
>>>
>>> According to my understanding, it should allow only those samba users
>>> which come under the group staff. But thats not happening, squid
>>> denies access to the internet.
>> _when tested_ it should be doing that. Other rules around it have an effect
>> that you may have overlooked.
>>
>> Then again the group name is case-sensitive. The helper is OS access
>> permission sensitive, and NTLM auth has difficulties all of its own.
>>
>>
>> I'll need to see the whole access config to know whats going on. And remind
>> me what version of Squid this is.
>>
>>
>> Amos
>
> hi,
>
>
> root_at_sunbox:/etc/squid# dpkg -l | grep squid
> ii squid 2.6.18-1ubuntu3
> Internet object cache (WWW proxy cache)
> ii squid-common 2.6.18-1ubuntu3
> Internet object cache (WWW proxy cache) - co
>
> squid.conf
>
> visible_hostname sunbox
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY

use: cache deny QUERY

> hosts_file /etc/hosts
> http_port 10.10.10.200:3128
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
> acl staffgroup external NT_Group staff
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 631 # cups
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 901 # SWAT
> acl Safe_ports port 993 # IMAP
> acl Safe_ports port 587 # SMTP
> acl Safe_ports port 22 # SSH
> acl purge method PURGE
> acl special_urls url_regex "/etc/squid/squid-noblock.acl"
> acl extndeny url_regex -i "/etc/squid/blocks.files.acl"

File extensions?
  --> use urlpath_regex -i \.(mp3|exe|zip)(\?.*)?$

> acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt"
> acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe

So "prexel.com" is a bad URL?

Be VERY careful with regex matching. Avoid where possible.

The mp3/mp4/exe bits can be moved to the bad extension list.

The youtube and orkut stuff should be a dstdomain ACL type with a
wildcard list of their domains: dstdomain .youtube.com .yimg.com

(I'm not sure what the full range of orkut domains are).

> acl lan src 192.168.1.0 10.10.10.0/24
> acl stud ident_regex babu
> acl download method GET
> acl CONNECT method CONNECT
> cache_mem 100 MB
> #redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf
> ident_lookup_access allow all
> http_access allow staffgroup

For testing I hope. Okay, so staffgroup should have unlimited proxy
access form anywhere in the world. If they happen to send their login
information to random machines (including Squid) without being asked to.

I think you need to try:

   acl authUsers proxy_auth REQUIRED
   http_access deny !authUsers
   http_access allow staffgroup

You also need a set of auth_param settings to actually retrieve the
login details. wbinfo does not work without them.

Also, check the default user your Squid runs under is properly a member
of the winbind group in the OS security settings.
wbinfo requires access to the winbind data which gets dynamically
created, so hacking around with chown does not work.

> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access allow special_urls
> http_access deny extndeny download

The above line merely doubles the server CPU load from the extndeny
regex test.

The one below does the same thing for non-"download" stuff.

> http_access deny extndeny
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

Well, the two lines above really should be the first two http_access
lines in the config. They catch a huge amount of bad requests in a very
efficient way.

> http_access deny badurl
> http_access deny malware_block_list
> deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list
> http_access allow localhost
> http_access allow lan
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> coredump_dir /var/spool/squid
>
>
> Thanks
> Avinash

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
   Current Beta Squid 3.1.0.13
Received on Tue Sep 08 2009 - 06:49:53 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 08 2009 - 12:00:02 MDT