Avinash Rao wrote:
> On Tue, Sep 8, 2009 at 12:19 PM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
>> Avinash Rao wrote:
>>> On Tue, Sep 8, 2009 at 11:38 AM, Amos Jeffries<squid3_at_treenet.co.nz>
>>> wrote:
>>>> Avinash Rao wrote:
>>>>> ---------- Forwarded message ----------
>>>>> From: Avinash Rao <avinash.aol_at_gmail.com>
>>>>> Date: Tue, Sep 8, 2009 at 11:13 AM
>>>>> Subject: Re: Fwd: [squid-users] Need help in integrating squid and samba
>>>>> To: Amos Jeffries <squid3_at_treenet.co.nz>
>>>>> Cc: Henrik Nordstrom <henrik_at_henriknordstrom.net>,
>>>>> squid-users_at_squid-cache.org
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Sep 1, 2009 at 4:10 PM, Amos Jeffries <squid3_at_treenet.co.nz>
>>>>> wrote:
>>>>>> Avinash Rao wrote:
>>>>>>> On 8/31/09, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>>>>>>> Avinash Rao wrote:
>>>>>>>>
>>>>>>>>> On Mon, Aug 24, 2009 at 1:00 AM, Henrik Nordstrom
>>>>>>>> <henrik_at_henriknordstrom.net
>>>>>>>> <mailto:henrik_at_henriknordstrom.net>> wrote:
>>>>>>>>> sön 2009-08-23 klockan 15:08 +0530 skrev Avinash Rao:
>>>>>>>>> > I couldn't find any document that shows me how to enable wb_info
>>>>>>>>> for squid.
>>>>>>>>> > Can anybody help me?
>>>>>>>>>
>>>>>>>>> external_acl_type NT_Group %LOGIN
>>>>>>>>> /usr/local/squid/libexec/wbinfo_group.pl
>>>>>>>>>
>>>>>>>>> acl group1 external NT_Group group1
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> then use group1 whenever you want to match users belonging to that
>>>>>>>>> Windows group.
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>> Henrik
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi Henrik,
>>>>>>>>>
>>>>>>>>> I have used the following in my squid.conf
>>>>>>>>>
>>>>>>>>> external_acl_type NT_Group %LOGIN /usr/lib/squid/wbinfo_group.pl acl
>>>>>>>> group1 external NT_Group staff
>>>>>>>>> acl net time M T W T F S S 9:00-18:00
>>>>>>>>> http_access allow net
>>>>>>>>>
>>>>>>>>> On my linux server, I have created a group called staff and made a
>>>>>>>>> couple
>>>>>>>> of users a member of this group called staff. My intention is to
>>>>>>>> provide
>>>>>>>> access to users belonging to group staff on all days from morning 9am
>>>>>>>> -
>>>>>>>> 7PM.
>>>>>>>> The rest should be denied.
>>>>>>>>> But this didn't work, when the Samba users login from a winxp
>>>>>>>>> client,
>>>>>>>>> it
>>>>>>>> doesn't get access to internet at all.
>>>>>>>> There is no http_access lien making any use of ACL "group1"
>>>>>>>>
>>>>>>>> And _everybody_ (me included on this side of the Internet) is allowed
>>>>>>>> to use
>>>>>>>> your proxy between 9am ad 6pm.
>>>>>>>>
>>>>>>>>
>>>>>>>> Amos
>>>>>>> Thanks for the reply, Ya i missed http_access allow group1
>>>>>>> I didn't understand your second statement, are u telling me that i
>>>>>>> should deny access to net?
>>>>>> You should combine the ACL with others on an http_access line so that
>>>>>> its
>>>>>> limited to who it allows.
>>>>>>
>>>>>> This:
>>>>>> acl net time M T W T F S S 9:00-18:00
>>>>>> http_access allow net
>>>>>>
>>>>>> simply says "all requests are allowed between time X and Y".
>>>>>> Without additional controls, ie on IP address making the request, you
>>>>>> end up with an open proxy.
>>>>>>
>>>>>> Amos
>>>>> Dear Amos,
>>>>>
>>>>> I am still not able to get this working. Here's what i want to
>>>>> accomplish. I have WinXP - SP2 clients logging onto the samba domain
>>>>> and LTSP users. All users use squid proxy. My intention is to control
>>>>> the samba users from accessing the internet at certain times.
>>>>>
>>>>> If i don't use the external_acl_type NT_Group as mentioned below, the
>>>>> squid works properly for all users, even windows and anybody using
>>>>> squid proxy.
>>>>>
>>>>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/
>>>>> wbinfo_group.pl
>>>>> acl group1 external NT_Group group1
>>>>> I have created a group called staff using net rpc command and i am i
>>>>> have made all the users using winxp a member of this group staff. So,
>>>>> my acl will look like
>>>>>
>>>>> external_acl_type NT_Group %LOGIN
>>>>> /usr/local/squid/libexec/wbinfo_group.pl
>>>>> acl acl_name external NT_Group staff
>>>>> http_access allow staff
>>>>>
>>>>> According to my understanding, it should allow only those samba users
>>>>> which come under the group staff. But thats not happening, squid
>>>>> denies access to the internet.
>>>> _when tested_ it should be doing that. Other rules around it have an
>>>> effect
>>>> that you may have overlooked.
>>>>
>>>> Then again the group name is case-sensitive. The helper is OS access
>>>> permission sensitive, and NTLM auth has difficulties all of its own.
>>>>
>>>>
>>>> I'll need to see the whole access config to know whats going on. And
>>>> remind
>>>> me what version of Squid this is.
>>>>
>>>>
>>>> Amos
>>> hi,
>>>
>>>
>>> root_at_sunbox:/etc/squid# dpkg -l | grep squid
>>> ii squid 2.6.18-1ubuntu3
>>> Internet object cache (WWW proxy cache)
>>> ii squid-common 2.6.18-1ubuntu3
>>> Internet object cache (WWW proxy cache) - co
>>>
>>> squid.conf
>>>
>>> visible_hostname sunbox
>>> hierarchy_stoplist cgi-bin ?
>>> acl QUERY urlpath_regex cgi-bin \?
>>> no_cache deny QUERY
>> use: cache deny QUERY
>>
>>> hosts_file /etc/hosts
>>> http_port 10.10.10.200:3128
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern . 0 20% 4320
>>>
>>> external_acl_type NT_Group %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
>>> acl staffgroup external NT_Group staff
>>>
>>> acl all src 0.0.0.0/0.0.0.0
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/255.255.255.255
>>> acl to_localhost dst 127.0.0.0/8
>>> acl SSL_ports port 443 563
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 563 # https, snews
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 631 # cups
>>> acl Safe_ports port 777 # multiling http
>>> acl Safe_ports port 901 # SWAT
>>> acl Safe_ports port 993 # IMAP
>>> acl Safe_ports port 587 # SMTP
>>> acl Safe_ports port 22 # SSH
>>> acl purge method PURGE
>>> acl special_urls url_regex "/etc/squid/squid-noblock.acl"
>>> acl extndeny url_regex -i "/etc/squid/blocks.files.acl"
>> File extensions?
>> --> use urlpath_regex -i \.(mp3|exe|zip)(\?.*)?$
>>
>>
>>> acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt"
>>> acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe
>> So "prexel.com" is a bad URL?
>>
>> Be VERY careful with regex matching. Avoid where possible.
>>
>> The mp3/mp4/exe bits can be moved to the bad extension list.
>>
>> The youtube and orkut stuff should be a dstdomain ACL type with a wildcard
>> list of their domains: dstdomain .youtube.com .yimg.com
>>
>> (I'm not sure what the full range of orkut domains are).
>>
>>> acl lan src 192.168.1.0 10.10.10.0/24
>>> acl stud ident_regex babu
>>> acl download method GET
>>> acl CONNECT method CONNECT
>>> cache_mem 100 MB
>>> #redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf
>>> ident_lookup_access allow all
>>> http_access allow staffgroup
>> For testing I hope. Okay, so staffgroup should have unlimited proxy access
>> form anywhere in the world. If they happen to send their login information
>> to random machines (including Squid) without being asked to.
>>
>> I think you need to try:
>>
>> acl authUsers proxy_auth REQUIRED
>> http_access deny !authUsers
>> http_access allow staffgroup
>>
>> You also need a set of auth_param settings to actually retrieve the login
>> details. wbinfo does not work without them.
>>
>>
>> Also, check the default user your Squid runs under is properly a member of
>> the winbind group in the OS security settings.
>> wbinfo requires access to the winbind data which gets dynamically created,
>> so hacking around with chown does not work.
>>
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access allow purge localhost
>>> http_access allow special_urls
>>> http_access deny extndeny download
>> The above line merely doubles the server CPU load from the extndeny regex
>> test.
>>
>> The one below does the same thing for non-"download" stuff.
>>
>>> http_access deny extndeny
>>> http_access deny purge
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>> Well, the two lines above really should be the first two http_access lines
>> in the config. They catch a huge amount of bad requests in a very efficient
>> way.
>>
>>> http_access deny badurl
>>> http_access deny malware_block_list
>>> deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list
>>> http_access allow localhost
>>> http_access allow lan
>>> http_access deny all
>>> http_reply_access allow all
>>> icp_access allow all
>>> coredump_dir /var/spool/squid
>>>
>>>
>>> Thanks
>>> Avinash
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
>> Current Beta Squid 3.1.0.13
>>
>
>
>
> Thanks again, i will go through this and let you know the results.
>
> Regards,
> Avinash
After all that I forgot to say now to link the staffgroup and net ACLs.
Not difficult though:
acl net time 9:00-18:00
http_access allow net staffgroup
(assuming you did want the access limited 7 days a week)
If only specific days were wanted note that the day codes are made into
a single word SMTWHFA etc (no spaces)
and also H = thursday and A = saturday.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13Received on Tue Sep 08 2009 - 09:19:35 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 09 2009 - 12:00:02 MDT