On Mon, 19 Apr 2010 15:33:09 -0400, Milan <compguy030471_at_gmail.com> wrote:
> Below is our Squid.conf. We still cannot get external ad users to work
> on our proxy.
>
> cache_peer proxy2.us.xxxxxxxxxx.com parent 3128 0000 default no-query
> no-digest
>
> auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
> auth_param ntlm children 40
> auth_param ntlm keep_alive on
>
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> external_acl_type AD_global_group ttl=120 %LOGIN
> c:/squid/libexec/mswin_check_ad_group.exe -G
>
> ftp_user squid_at_xxxxxxxx.com
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
>
> acl WindowsUpdate dstdomain -i "c:/squid/etc/windowsupdate.txt"
>
> acl bypass_auth src "C:\squid\etc\ByPass_Auth_SRC_IP.txt"
> acl bypass_auth-external dstdomain
> "C:\squid\etc\ByPass_Auth_DST_DOMAIN.txt"
>
> acl DIRECT src "C:\squid\etc\Direct_SRC_IP.txt"
> acl DIRECT-external dstdomain "C:\squid\etc\Direct_DST_DOMAIN.txt"
>
> acl Java browser Java/[0-9]
>
> acl Approved_IP dstdomain "C:\squid\etc\Approved_IP.txt"
>
> # Domains accessible to all PC's
> acl Approved_Domains dstdomain "C:\squid\etc\Approved.txt"
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
>
> acl CONNECT method CONNECT
> acl ftp proto FTP
>
> acl authproxy proxy_auth REQUIRED
> acl our_networks src 172.xx.xx.xx/12
> acl HEAD method HEAD
>
> acl InetAllow external AD_global_group CLW.Squid.Full
>
> http_access allow manager localhost
> http_access allow HEAD
> http_access allow ftp
> http_access allow WindowsUpdate
> http_access allow bypass_auth
> http_access allow bypass_auth-external
> http_access allow Approved_Domains
> http_access allow Java
> http_access allow Approved_IP
> http_access allow InetAllow
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny !our_networks
Eeek!. Order is important!
Before you do anything else. Put those deny lines back FIRST in your
order of http_access.
Next, the rules for Internet machines to connect to your LAN need to go
above the !our_networks rule (and remain below the CONNECT one).
That may not solve your auth problems, but it will stop your machine being
an open relay proxy.
Amos
>
> On Sun, Apr 18, 2010 at 06:26, Guido Serassio
> <guido.serassio_at_acmeconsulting.it> wrote:
>> Hi,
>>
>> When using mswin_check_ad_group.exe 1.x in global mode (-G options),
the
>> check is done always against a global group placed in the user's
domain.
>>
>> Starting from 2.7 STABLE 8, mswin_check_ad_group.exe 2.x is now a full
>> AD group helper supporting full forest wide group recursion.
>> Take a look to the included docs for details.
>>
>> Regards
>>
>> Guido Serassio
>> Acme Consulting S.r.l.
>> Microsoft Gold Certified Partner
>> Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY
>> Tel. : +39.011.9530135 Fax. : +39.011.9781115
>> Email: guido.serassio_at_acmeconsulting.it
>> WWW: http://www.acmeconsulting.it
>>
>>
>>> -----Messaggio originale-----
>>> Da: Milan [mailto:compguy030471_at_gmail.com]
>>> Inviato: giovedì 15 aprile 2010 17.17
>>> A: squid-users_at_squid-cache.org
>>> Oggetto: [squid-users] External users from Child AD domain unable to
use
>>> local Squid proxy
>>>
>>> We are using Squid on windpow as a proxy and we are having an issue
>>> when users that come from a child domain to our office do not
>>> authenticate properly.
>>>
>>> Example: our domain is na.myworld.com and users from eu.myworld.com
>>> come to our office and do not authenticate correctly
>>> The log of the connection is below.
>>>
>>> 1271280071.727 47 172.23.5.54 TCP_DENIED/407 1766 GET
>>> http://www.yahoo.com/ - NONE/- text/html
>>> 1271280071.774 31 172.23.5.54 TCP_DENIED/407 2082 GET
>>> http://www.yahoo.com/ - NONE/- text/html
>>> 1271280099.086 27312 172.23.5.54 TCP_DENIED/403 1449 GET
>>> http://www.yahoo.com/ eu\vbonafe NONE/- text/html
>>> 1271280104.258 47 172.23.5.54 TCP_DENIED/407 1763 GET
>>> http://www.yahoo.es/ - NONE/- text/html
>>> 1271280104.289 31 172.23.5.54 TCP_DENIED/407 2079 GET
>>> http://www.yahoo.es/ - NONE/- text/html
>>> 1271280104.524 235 172.23.5.54 TCP_DENIED/403 1447 GET
>>> http://www.yahoo.es/ eu\vbonafe NONE/- text/html
>>> 1271280110.274 391 172.23.5.54 TCP_MISS/200 5128 GET
>>> http://www.google.com/ -
>>> DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html
>>> 1271280110.524 63 172.23.5.54 TCP_MISS/204 494 GET
>>> http://clients1.google.com/generate_204 -
>>> DEFAULT_PARENT/proxy2.us.webscanningservice.com text/html
>>> 1271280110.649 157 172.23.5.54 TCP_MISS/204 434 GET
>>> http://www.google.com/csi? - DIRECT/72.14.204.103 text/html
>>>
>>> We have the below acl for users in the Ad global group
>>>
>>>
>>> external_acl_type AD_global_group ttl=120 %LOGIN
>>> c:/squid/libexec/mswin_check_ad_group.exe -G
>>>
>>> and another acl below that allows full access thru the squid proxy
>>> using an ad group
>>>
>>> acl InetAllow external AD_global_group CLW.Squid.Full
>>>
>>>
>>> any ideas????
>>
Received on Tue Apr 20 2010 - 00:58:59 MDT
This archive was generated by hypermail 2.2.0 : Tue Apr 20 2010 - 12:00:05 MDT