Re: [squid-users] Squid + Webmarshal

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 29 Jul 2009 17:44:47 +1200

Harley Jackson Willmott wrote:
> 2009/7/28 Amos Jeffries <squid3_at_treenet.co.nz>:
>> Harley Jackson Willmott wrote:
>>> 2009/7/27 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>> On Mon, 27 Jul 2009 13:50:24 +1000, Harley Jackson Willmott
>>>> <open.harley_at_gmail.com> wrote:
>>>>> Hey all.
>>>>>
>>>>> I've done lots of searching and haven't been able to find examples of
>>>>> this particular scenario so I'm putting it to you guys for help.
>>>>>
>>>>> Basically, my boss has me setting up a Squid server for our company's
>>>>> primarily Microsoft-based network (We use Active Directory). We've
>>>>> already got a proxy server set up running Webmarshal. Webmarshal takes
>>>>> care of all the filtering stuff based on Active Directory membership.
>>>>>
>>>>> I'm implementing a Squid server to both cache (obviously) and to
>>>>> throttle certain users using delay pools.
>>>>>
>>>>> The original plan was to have Squid in front of Webmarshal, which
>>>>> means Squid needs to be able to pass the AD credentials to Webmarshal.
>>>>> The server itself is running Ubuntu 9.04 Server with
>>>>> Squid-3.0.STABLE16 compiled with buckets enabled and is joined to our
>>>>> AD domain through Likewise-Open. I'd like to create ACLs based on
>>>>> user/group membership in AD, but IPs are fine if that isn't possible.
>>>>> The main thing is that I -need- the credentials passed to Webmarshal
>>>>> so that the user isn't prompted to enter their username and password
>>>>> into their browser (this is how it acts prior to pointing it to
>>>>> Squid).
>>>>>
>>>>> Is this possible with my version of Squid? I've been trying to follow
>>>>> examples and documentation on the web, but frequently run into
>>>>> conflicting and/or outdated information. If so, can someone help me
>>>>> out with an example or something? If not, should I just be putting
>>>>> Squid behind Webmarshal?
>>>> Behind would be the quickest fix.
>>>>
>>>> Or you could go the whole way and configure Squid AD authentication with
>>>> groups access control to completely replace WebMarshall. Squid bundles a
>>>> few external ACL helpers that check group access. The rest is up to how
>>>> you
>>>> set what access controls.
>>>>
>>>> Amos
>>>>
>>>>
>>> Thanks, Amos, I mulled it over a bit and talked to the boss and we've
>>> put Squid in front of Webmarshal
>>>
>>> I got Squid up and running but was getting a massive headache trying
>>> to make it pass credentials to Webmarshal. The problem was revealed to
>>> me by another thread on this mailing list that mentioned this would
>>> only work in 2.7 and 3.1, whereas I've been using 3.0. I compiled 2.7
>>> and it passes credentials to Webmarshal fine now! Delay pools are
>>> working great too (it's funny being happy about seeing the internet
>>> moving slowly)
>>> However, I'm faced with another problem. I still need to set up ACLs
>>> in Squid that are based on Active Directory groups. The box is in our
>>> domain with Samba and Winbind and wbinfo, wbinfo_group.pl and
>>> ntlm_auth all work flawlessly.
>>> Unfortunately, after I add the lines for ntlm authentication, my
>>> browser (even IE) prompts me for username and password a few times and
>>> then sends me to a Cache Access Denied page. My access.log also does
>>> not show any usernames/groups.
>>>
>>> I've played around with the lines a bit but here is how they stand at
>>> the moment:
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp
>>> auth_param ntlm children 30
>>> auth_param ntlm keep_alive on
>>>
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic
>>> auth_param basic children 5
>>> auth_param basic realm mushmusic
>>> auth_param basic credentialsttl 2 hours
>>> auth_param basic casesensitive off
>>>
>>> acl authedusers proxy_auth REQUIRED
>>> http_access allow authedusers
>>>
>>> Any advice?
>>> Cheers :)
>> You also need persistent connections enabled, and connection-auth= flags on
>> any cache_peer lines.
>>
>> http://www.squid-cache.org/Versions/v2/2.7/cfgman/
>> See these settings:
>> * client_persistent_connections
>> * server_persistent_connections
>> * persistent_connection_after_error
>> * detect_broken_pconn
>>
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17
>> Current Beta Squid 3.1.0.12
>>
>
> Thanks again! I managed to get ntlm_auth working, with ACLs based on
> the user's AD groups to decide different bucket sizes and speeds
> without the browser prompting.
> I had disabled the passing of credentials to Webmarshal beforehand to
> isolate what I was working on and now that I've gotten ntlm_auth
> working, I re-enabled it. Unfortunately, I am prompted for credentials
> again. This time, however, entering the credentials seem to work (as
> opposed to just prompting me over and over again before).
>
> If I'm _only_ passing credentials or _only_ authenticating for Squid,
> then everything works swimmingly. However, having both at once causes
> it to prompt the user at the browser. Can I only have one or the other
> or is there a solution that allows Squid to authenticate as well as
> pass creds to Webmarshal?
>
> Cheers
> Harley

At a guess I'd say the Webmarshal is not finding the NTLM token passed
back enough and kicking off its own challenge sequence.

Maybe the all-hack will work here....

Setting "all" ACL as the last on each authentication line causes Squid
to not send the auth chellenge. This breaks any deny lines, but if the
auth is only on "allow" stuff it can work.

NP: You will also have to create a category for non-authenticated
requests. Which are prior to the Webmarshal challenge but MUST still go
through to get the auth challenge happening.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17
   Current Beta Squid 3.1.0.12
Received on Wed Jul 29 2009 - 05:45:03 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 29 2009 - 12:00:05 MDT