Re: [squid-users] Need help in integrating squid and samba

From: Avinash Rao <avinash.aol_at_gmail.com>
Date: Tue, 8 Sep 2009 16:56:23 +0530

On Tue, Sep 8, 2009 at 2:49 PM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
> Avinash Rao wrote:
>>
>> On Tue, Sep 8, 2009 at 12:19 PM, Amos Jeffries<squid3_at_treenet.co.nz>
>> wrote:
>>>
>>> Avinash Rao wrote:
>>>>
>>>> On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries<squid3_at_treenet.co.nz>
>>>> wrote:
>>>>>
>>>>> Avinash Rao wrote:
>>>>>>
>>>>>> ---------- Forwarded message ----------
>>>>>> From: Avinash Rao <avinash.aol_at_gmail.com>
>>>>>> Date: Tue, Sep 8, 2009 at 11:13 AM
>>>>>> Subject: Re: Fwd: [squid-users] Need help in integrating squid and
>>>>>> samba
>>>>>> To: Amos Jeffries <squid3_at_treenet.co.nz>
>>>>>> Cc: Henrik Nordstrom <henrik_at_henriknordstrom.net>,
>>>>>> squid-users_at_squid-cache.org
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries <squid3_at_treenet.co.nz>
>>>>>> wrote:
>>>>>>>
>>>>>>> Avinash Rao wrote:
>>>>>>>>
>>>>>>>> On 8/31/09, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>>>>>>>>
>>>>>>>>> Avinash Rao wrote:
>>>>>>>>>
>>>>>>>>>> On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom
>>>>>>>>>
>>>>>>>>> <henrik_at_henriknordstrom.net
>>>>>>>>> <mailto:henrik_at_henriknordstrom.net>> wrote:
>>>>>>>>>>
>>>>>>>>>>  sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao:
>>>>>>>>>>  > I couldn't find any document that shows me how to enable
>>>>>>>>>> wb_info
>>>>>>>>>>  for squid.
>>>>>>>>>>  > Can anybody help me?
>>>>>>>>>>
>>>>>>>>>>  external_acl_type NT_Group %LOGIN
>>>>>>>>>>  /usr/local/squid/libexec/wbinfo_group.pl
>>>>>>>>>>
>>>>>>>>>>  acl group1 external NT_Group group1
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>  then use group1 whenever you want to match users belonging to
>>>>>>>>>> that
>>>>>>>>>>  Windows group.
>>>>>>>>>>
>>>>>>>>>>  Regards
>>>>>>>>>>  Henrik
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hi Henrik,
>>>>>>>>>>
>>>>>>>>>> I have used the following in my squid.conf
>>>>>>>>>>
>>>>>>>>>> external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl
>>>>>>>>>> acl
>>>>>>>>>
>>>>>>>>> group1 external NT_Group staff
>>>>>>>>>>
>>>>>>>>>> acl net time M T W T F S S 9:00-18:00
>>>>>>>>>> http_access allow net
>>>>>>>>>>
>>>>>>>>>> On my linux server, I have created a group called staff and made a
>>>>>>>>>> couple
>>>>>>>>>
>>>>>>>>> of users a member of this group called staff. My intention is to
>>>>>>>>> provide
>>>>>>>>> access to users belonging to group staff on all days from morning
>>>>>>>>> 9am
>>>>>>>>> -
>>>>>>>>> 7PM.
>>>>>>>>> The rest should be denied.
>>>>>>>>>>
>>>>>>>>>> But this didn't work, when the Samba users login from a winxp
>>>>>>>>>> client,
>>>>>>>>>> it
>>>>>>>>>
>>>>>>>>> doesn't get access to internet at all.
>>>>>>>>> There is no http_access lien making any use of ACL "group1"
>>>>>>>>>
>>>>>>>>> And _everybody_ (me included on this side of the Internet) is
>>>>>>>>> allowed
>>>>>>>>> to use
>>>>>>>>> your proxy between 9am ad 6pm.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Amos
>>>>>>>>
>>>>>>>> Thanks for the reply, Ya i missed http_access allow group1
>>>>>>>> I didn't understand your second statement, are u telling me that i
>>>>>>>> should deny access to net?
>>>>>>>
>>>>>>> You should combine the ACL with others on an http_access line so that
>>>>>>> its
>>>>>>> limited to who it allows.
>>>>>>>
>>>>>>> This:
>>>>>>>  acl net time M T W T F S S 9:00-18:00
>>>>>>>  http_access allow net
>>>>>>>
>>>>>>> simply says "all requests are allowed between time X and Y".
>>>>>>> Without additional controls, ie on IP address making the request,
>>>>>>>  you
>>>>>>> end up with an open proxy.
>>>>>>>
>>>>>>> Amos
>>>>>>
>>>>>> Dear Amos,
>>>>>>
>>>>>> I am still not able to get this working.  Here's what i want to
>>>>>> accomplish. I have WinXP - SP2 clients logging onto the samba domain
>>>>>> and LTSP users. All users use squid proxy. My intention is to control
>>>>>> the samba users from accessing the internet at certain times.
>>>>>>
>>>>>> If i don't use the external_acl_type NT_Group as mentioned below, the
>>>>>> squid works properly for all users, even windows and anybody using
>>>>>> squid proxy.
>>>>>>
>>>>>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/
>>>>>> wbinfo_group.pl
>>>>>> acl group1 external NT_Group group1
>>>>>> I have created a group called staff using net rpc command and i am i
>>>>>> have made all the users using winxp a member of this group staff. So,
>>>>>> my acl will look like
>>>>>>
>>>>>> external_acl_type NT_Group %LOGIN
>>>>>> /usr/local/squid/libexec/wbinfo_group.pl
>>>>>> acl acl_name external NT_Group staff
>>>>>> http_access allow staff
>>>>>>
>>>>>> According to my understanding, it should allow only those samba users
>>>>>> which come under the group staff. But thats not happening, squid
>>>>>> denies access to the internet.
>>>>>
>>>>> _when tested_ it should be doing that. Other rules around it have an
>>>>> effect
>>>>> that you may have overlooked.
>>>>>
>>>>> Then again the group name is case-sensitive. The helper is OS access
>>>>> permission sensitive, and NTLM auth has difficulties all of its own.
>>>>>
>>>>>
>>>>> I'll need to see the whole access config to know whats going on. And
>>>>> remind
>>>>> me what version of Squid this is.
>>>>>
>>>>>
>>>>> Amos
>>>>
>>>> hi,
>>>>
>>>>
>>>> root_at_sunbox:/etc/squid# dpkg -l | grep squid
>>>> ii  squid                                 2.6.18-1ubuntu3
>>>>                       Internet object cache (WWW proxy cache)
>>>> ii  squid-common                          2.6.18-1ubuntu3
>>>>                       Internet object cache (WWW proxy cache) - co
>>>>
>>>> squid.conf
>>>>
>>>> visible_hostname sunbox
>>>> hierarchy_stoplist cgi-bin ?
>>>> acl QUERY urlpath_regex cgi-bin \?
>>>> no_cache deny QUERY
>>>
>>> use:  cache deny QUERY
>>>
>>>> hosts_file /etc/hosts
>>>> http_port 10.10.10.200:3128
>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>> refresh_pattern . 0 20% 4320
>>>>
>>>> external_acl_type NT_Group %LOGIN
>>>> /usr/local/squid/libexec/wbinfo_group.pl
>>>> acl staffgroup external NT_Group staff
>>>>
>>>> acl all src 0.0.0.0/0.0.0.0
>>>> acl manager proto cache_object
>>>> acl localhost src 127.0.0.1/255.255.255.255
>>>> acl to_localhost dst 127.0.0.0/8
>>>> acl SSL_ports port 443 563
>>>> acl Safe_ports port 80                # http
>>>> acl Safe_ports port 21                # ftp
>>>> acl Safe_ports port 443 563           # https, snews
>>>> acl Safe_ports port 70                # gopher
>>>> acl Safe_ports port 210               # wais
>>>> acl Safe_ports port 1025-65535        # unregistered ports
>>>> acl Safe_ports port 280               # http-mgmt
>>>> acl Safe_ports port 488               # gss-http
>>>> acl Safe_ports port 591               # filemaker
>>>> acl Safe_ports port 631               # cups
>>>> acl Safe_ports port 777               # multiling http
>>>> acl Safe_ports port 901               # SWAT
>>>> acl Safe_ports port 993               # IMAP
>>>> acl Safe_ports port 587               # SMTP
>>>> acl Safe_ports port 22                # SSH
>>>> acl purge method PURGE
>>>> acl special_urls url_regex "/etc/squid/squid-noblock.acl"
>>>> acl extndeny url_regex -i "/etc/squid/blocks.files.acl"
>>>
>>> File extensions?
>>>  --> use urlpath_regex -i \.(mp3|exe|zip)(\?.*)?$
>>>
>>>
>>>> acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt"
>>>> acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe
>>>
>>> So "prexel.com" is a bad URL?
>>>
>>> Be VERY careful with regex matching. Avoid where possible.
>>>
>>> The mp3/mp4/exe bits can be moved to the bad extension list.
>>>
>>> The youtube and orkut stuff should be a dstdomain ACL type with a
>>> wildcard
>>> list of their domains:  dstdomain .youtube.com .yimg.com
>>>
>>> (I'm not sure what the full range of orkut domains are).
>>>
>>>> acl lan src 192.168.1.0 10.10.10.0/24
>>>> acl stud ident_regex babu
>>>> acl download method GET
>>>> acl CONNECT method CONNECT
>>>> cache_mem 100 MB
>>>> #redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf
>>>> ident_lookup_access allow all
>>>> http_access allow staffgroup
>>>
>>> For testing I hope. Okay, so staffgroup should have unlimited proxy
>>> access
>>> form anywhere in the world. If they happen to send their login
>>> information
>>> to random machines (including Squid) without being asked to.
>>>
>>> I think you need to try:
>>>
>>>  acl authUsers proxy_auth REQUIRED
>>>  http_access deny !authUsers
>>>  http_access allow staffgroup
>>>
>>> You also need a set of auth_param settings to actually retrieve the login
>>> details. wbinfo does not work without them.
>>>
>>>
>>> Also, check the default user your Squid runs under is properly a member
>>> of
>>> the winbind group in the OS security settings.
>>> wbinfo requires access to the winbind data which gets dynamically
>>> created,
>>> so hacking around with chown does not work.
>>>
>>>> http_access allow manager localhost
>>>> http_access deny manager
>>>> http_access allow purge localhost
>>>> http_access allow special_urls
>>>> http_access deny extndeny download
>>>
>>> The above line merely doubles the server CPU load from the extndeny regex
>>> test.
>>>
>>> The one below does the same thing for non-"download" stuff.
>>>
>>>> http_access deny extndeny
>>>> http_access deny purge
>>>> http_access deny !Safe_ports
>>>> http_access deny CONNECT !SSL_ports
>>>
>>> Well, the two lines above really should be the first two http_access
>>> lines
>>> in the config. They catch a huge amount of bad requests in a very
>>> efficient
>>> way.
>>>
>>>> http_access deny badurl
>>>> http_access deny malware_block_list
>>>> deny_info http://malware.hiperlinks.com.br/denied.shtml
>>>> malware_block_list
>>>> http_access allow localhost
>>>> http_access allow lan
>>>> http_access deny all
>>>> http_reply_access allow all
>>>> icp_access allow all
>>>> coredump_dir /var/spool/squid
>>>>
>>>>
>>>> Thanks
>>>> Avinash
>>>
>>> Amos
>>> --
>>> Please be using
>>>  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
>>>  Current Beta Squid 3.1.0.13
>>>
>>
>>
>>
>> Thanks again, i will go through this and let you know the results.
>>
>> Regards,
>> Avinash
>
> After all that I forgot to say now to link the staffgroup and net ACLs.
>
> Not difficult though:
>  acl net time 9:00-18:00
>  http_access allow net staffgroup
>
> (assuming you did want the access limited 7 days a week)
> If only specific days were wanted note that the day codes are made into a
> single word SMTWHFA etc (no spaces)
>  and also H = thursday and A = saturday.
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
>  Current Beta Squid 3.1.0.13
>

Thank you so much, I was going to ask the same thing. I just finished
testing the first part. I am doing one by one.

Cheers mate
Avinash
Received on Tue Sep 08 2009 - 11:26:34 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 08 2009 - 12:00:02 MDT