Re: [squid-users] squid group authentication and dansguardian

Kevin Kimani wrote:
> Hi guys,
>
> Am having a system running squid that authenticates users from the
> Active Directory. Squid is version 2.6 STABLE6 running in CentOS 5.1.
> It authenticates users according to the various groups that have been
> defined in the Active Directory. If i run squid directly, it
> authenticates users according to their groups but in the case of
> implementing Dansguardian which is to act as a guard then the
> authentication of groups fail miserably. but if i just authenticate
> everyone from the AD, it works well only that it doesnt log the
> usernames but the IP addresses of the users.
> #MY CHANGES-------------------------------------------------------------------
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 30
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 20
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> ##END HERE--------------------------------------------------------------------
>
> external_acl_type wbinfo_group_helper %LOGIN /usr/lib/squid/wbinfo_group.pl
>
> ##MY CHANGES-----------------------
> acl my_network src 10.1.0.0/20
> acl ntlm_users proxy_auth REQUIRED
> acl usergroup1 external wbinfo_group_helper internetusers
> acl group1 external wbinfo_group_helper directorsinternet
> seniormanagers itinternet auditandsystem
> acl group2 external wbinfo_group_helper hrinternet financeinternet
> citinternet guardinginternet securitysystems salesandmarketing
> transportinternet
> acl user1_ports port 21 25 80 110 443 10000
> acl user2_ports port 21 25 80 110 443
> acl user3 port 80 443
>

Squid's http_access rules work on a first-match basis, so...

> http_access allow usergroup1
>

"usergroup1" can surf to anywhere on any port with no restrictions at all.

> http_access allow my_network
>

Now anyone with a source address in 10.1.0.0/20 can do the same.
Luckily, since all traffic is coming from Dans Guardian on localhost,
this will never match.

> http_access allow localhost
> http_access allow ntlm_users
> #http_access deny manager
> http_access allow group1 user1_ports
> http_access allow group2 user2_ports
> # And finally deny all other access to this proxy
> http_access allow SSL_ports
>

Sweet! Open proxy (for traffic destined for port 443 at least.

> http_access deny !Safe_ports
> http_access deny all
>

I'd strongly recommend reviewing the FAQ section on ACLs
(http://wiki.squid-cache.org/SquidFaq/SquidAcl).

> ##---------------------------------
>
> for Dansguardian
>
> filterip = 10.1.0.81
>
> # the port that DansGuardian listens to.
> filterport = 8080
>
> # the ip of the proxy (default is the loopback - i.e. this server)
> proxyip = 10.1.0.81
>
> # the port DansGuardian connects to proxy on
> proxyport = 3128
>
> # Auth plugins
> # These replace the usernameidmethod* options in previous versions. They
> # handle the extraction of client usernames from various sources, such as
> # Proxy-Authorisation headers and ident servers, enabling requests to be
> # handled according to the settings of the user's filter group.
> # Multiple plugins can be specified, and will be queried in order until one
> # of them either finds a username or throws an error. For example, if Squid
> # is configured with both NTLM and Basic auth enabled, and both the
> 'proxy-basic'
> # and 'proxy-ntlm' auth plugins are enabled here, then clients which
> do not support
> # NTLM can fall back to Basic without sacrificing access rights.
> #
> # If you do not use multiple filter groups, you need not specify this option.
> #
> #authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-basic.conf'
> #authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-digest.conf'
> authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-ntlm.conf'
> #authplugin = '/usr/local/etc/dansguardian/authplugins/ident.conf'
> #authplugin = '/usr/local/etc/dansguardian/authplugins/ip.conf'
>
> These are my acls'. They work in my small testing environment but when
> i try to implement them in the clients environment, they just refuse
> to work. Could someone please help.
>

I'd suggest (once you have your Squid ACLs working for a stand-alone
Squid install), implementing DG as a parent proxy to Squid. Then again,
I'm not familiar with DG, and have no idea of its capabilities with
regards to authentication.

Chris
Received on Thu Dec 18 2008 - 21:02:36 MST