On 13/02/11 12:00, Cedric DC wrote:
>
> Hello,
>
> Currently architecture
> ----------------------
> We have a dedicated squid 3 server and squidguard installed on a Linux Ubuntu server.
> The goal is currently able to perform web cache for the corporate users and filtering web sites.
> The server is installed on a DMZ private and allow :
> -Trafic initiated from the LAN to the squid server for the port TCP 3128
> -Trafic initiated from the squid server to internet with services HTTP, HTTPS, FTP, NTP, DNS
> -The rest of the traffic is dropped by a hardware cluster firewall
>
> Evolution architecture
> ----------------------
> We want TRANSPARENTLY authenticate the corporate users who want to go on Internet. In more, we want to have in the log files the "username" for each request to Internet.
> We want perform the user authentication in asking our windows server 2003 (active directory).
NOTE: The only real form of auth which is "transparent" in Squid is for
reverse proxies, which your case does not seem to be.
What you seem to mean by "TRANSPARENT" is that the user does not notice
it happening. This is a browser configuration issue. When configured
properly on a stable network the browser only asks for login once (if at
all) when starting up. Regardless of the auth protocol used talking to Squid
>
> I have perform search to Internet and it seems to have several options :
> -NTLM authentication
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmWithGroups
>
If you are newly adding auth to the network try and avoid NTLM auth.
Kerberos is the much simpler and more secure replacement. The groups
checking if you need it applies equally and almost the same to both auth
protocols.
> -LDAP authentication
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ldap
>
> -Kerberos authentication
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
>
>
> 1-What is the best options to make authentication with Windows 2003 (active directory) and will be easy to deploy ?
"best" as defined by what criteria? ... easy to setup? secure?
compatibility with HTTP? range of clients supporting it?
When working properly none of the auth mechanisms actually need to
display popups to the user. When incompletely setup or broken they all
will regardless of protocol claims of transparency/invisibility. This is
a browser security decision.
and No, it will likely not be easy. There are many apps that do not do
auth at all, many that do only a limited ranges of auth types, and some
which claim to but do it badly.
> 2-It's possible for example to enable authentication for user and NOT for server ?
I believe its possible. That is a backend configuration problem though,
nothing to do with Squid.
> 3-It is possible to create a special group in active directory which contain all user allowed to surf. Squid allow surf only if the user is present in this group ?
Um, Did you read those wiki pages you linked to? Particularly the one
called "NtlmWithGroups"?
> 4-How can I differenciate in squid this 2 profiles ? For information, users and datacenters are in two separate IP subnets ?
You just answered your own question there. Use IP to alter the auth ACLs
tested.
> 5-Do you have a very good tutorial concerning the implementation in my case ?
>
The three wiki pages you linked to seem to be good ones if I do say so
myself (as a co-author and editor).
> Here the squid package version installed on our server
>
> root_at_XXXXXX:/etc/squid3# dpkg -l | grep squid
> ii squid3 3.0.STABLE8-3 A full featured Web Proxy cache (HTTP proxy)
> ii squid3-common 3.0.STABLE8-3 A full featured Web Proxy cache (HTTP proxy)
> ii squidguard 1.2.0-8.4ubuntu1 filter, redirector and access controller plu
You will find much less auth problems in the 3.1 or later series of Squid.
Ubuntu 10.10 has 3.1.6. And I provide a PPA for source packages of the
even newer 3.1 code with fixes 3.1.6 is lacking.
https://launchpad.net/~yadi/+archive/ppa
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.4Received on Sat Feb 12 2011 - 23:35:58 MST
This archive was generated by hypermail 2.2.0 : Sun Feb 13 2011 - 12:00:03 MST