[squid-users] ntlm questions from Simon Bryan on 2003-02-10 (squid-users)

From: Simon Bryan <sbryan@dont-contact.us>
Date: Tue, 11 Feb 2003 13:18:44 +1100

Hi all,

I am using Squid2.5STABLE1 on RH7.2, have successfully implemented ntlm
authentication (after much grief related to getting Samba to compile
properly). I was following another thread in this list about ntlm and not
needing a proxy_auth line when using an external authenticator. Which turned
out to be true, however it seems to also then allow non-authenticated use of
the proxy! I see now that there are large numbers of lines in my logs where
the 'user' is the machines IP address and the download is permitted.
Previously they would be denied. Is this correct behaviour? I find I need:

acl password proxy_auth REQUIRED
http_access deny all !password

for access to non-authenticated users to be denied. Or am I doing something
dumb(again!)?

Also should I be able to use:
acl staff external wb_group Teachers

in http_access rule like:

acl webmail dstdomain "/etc/dansguardian/blacklists/mail/domains"
http_access allow webmail staff
http_access deny webmail

cause it doesn't seem to work for me, the docs seem to indicate that it is
possible. 'Teachers' is a group on the NT Server.

****************************************************************************
********************************************
I believe the relevant lines of my conf file are below:

auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/local/bin/smb_auth -W OLMC_CD -U 10.192.0.11
auth_param basic children 20
auth_param basic realm Poxy server at OLMC
auth_param basic credentialsttl 1 hours

external_acl_type wb_group %LOGIN /usr/local/squid/libexec/wb_group
acl winauth external wb_group wwwusers
acl staff external wb_group Teachers
authenticate_ttl 1 hour
authenticate_ip_ttl 300 seconds

# TIMEOUTS
# ACCESS CONTROLS
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl cachemanager src 10.192.0.21
acl SSL_ports port 443 563 4545
acl Safe_ports port 21 70 80 81 82 88 210 563 1010 1025-65535 1082 4545
acl CONNECT method CONNECT
acl webdav method PROPFIND TRACE PURGE PROPPATCH MKCOL COPY MOVE LOCL UNLOCK
acl password proxy_auth REQUIRED

http_access deny all !password

_________________________________________
Simon Bryan
IT Manager
OLMC Parramata
ICQ#: 137562751
_________________________________________
Received on Mon Feb 10 2003 - 19:18:52 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:17 MST