Re: [squid-users] External_acl_type Problem

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 22 Jan 2011 03:07:56 +1300

On 22/01/11 01:38, Kalil Costa - Brasilsite wrote:
> Hi all,
>
>
> I have a problem with not working external_acl_type
>
> Integrated the AD 2003 using squid with ntlm, samba, winbind, works fine.
> Logs in access.log ok, user navigates normal, but when i configure
> squid.conf using external_acl_type nothings happens.
>

Your problems in not related to external_acl_type.

The order of your directives does not match what you are wanting to happen.

>
> My settings squid.conf
>
> -----
>
> http_port 3128
>
> cache_mem 12 MB
> maximum_object_size_in_memory 64 KB
> maximum_object_size 512 MB
> minimum_object_size 0 KB
> cache_swap_low 90
> cache_swap_high 95
> cache_dir ufs /var/spool/squid 2048 16 256
> cache_access_log /var/log/squid/access.log
> refresh_pattern ^ftp: 15 20% 2280
> refresh_pattern ^gopher: 15 0% 2280

Add:
   refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

> refresh_pattern . 15 20% 2280
>
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY

If you have a Squid newer than 2.6 remove the above three lines.

>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 30
>
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
>
>
> #debug_options ALL,1 82,9 84,9
>
> #acl all src 0.0.0.0/24
>
>
> acl AuthorizedUsers proxy_auth REQUIRED
> http_access allow AuthorizedUsers

At this point anyone who can login is allowed immediately.

>
> external_acl_type nt_group %LOGIN /usr/lib/squid/wbinfo_group.pl
>
> acl dpto external nt_group finance
> http_access deny dpto
>

This group restriction needs to be above "allow AuthorizedUsers" to work.

When two criteria overlap, the most specific needs to be tested first.
In this case the details user+password+group is more specific than just
user+password.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Fri Jan 21 2011 - 14:08:03 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 21 2011 - 12:00:07 MST