Penguin
Recent Changes

Differences between version 16 and predecessor to the previous major change of SquidNotes.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 16 Last edited on Monday, August 28, 2006 9:26:37 pm by CraigBox Revert
Older page: version 13 Last edited on Tuesday, July 18, 2006 4:10:54 pm by IanMcDonald Revert
@@ -1,8 +1,7 @@
 !!! [Squid] Caching Proxy Server Notes 
-  
+-----  
 !!Problem solving 
-  
 !Resolving name problems 
 Having problems that ~http://brian/wherever/whatever doesn't resolve in Squid? This is caused by Squid running its own DNS resolver, instead of using gethostbyname(3). It pulls the IPs of the name servers out of resolv.conf(5). Add a line like this to your squid.conf: 
  
  append_domain .yourdomain.tla 
@@ -31,9 +30,9 @@
 proxycfg -u 
  
 will import your proxy server setting from Internet Explorer. 
  
-  
+-----  
 !!Add-on utilities for Squid 
  
 ! Log Analysis (sarg) 
 sarg is a log file analyser for squid. It's partially useful. 
@@ -61,9 +60,9 @@
 * [ufdbGuard] (http://www.urlfilterdb.com) (GPL but you can't sell it) 
  
 (Note from Daniel Barron, DG author: the SG clause is in violation of the GPL and thus is invalid. The DG license is fully 100% within the GPL. What is asked for is that commercial users pay to __download__ DG. I just thought I'd clarify the [FUD].) 
  
-  
+-----  
 !!Useful configurations and tips 
  
 ! Proxy Auto Detection 
  
@@ -113,70 +112,72 @@
 <pre> 
  redirect_program /local/squid/bin/ufdbGuard -c /local/squid/etc/ufdbGuard.conf 
  redirect_children 2 
 </pre> 
+-----  
  
-!!Proxy Auth with [NTLM] 
+!!Authentication and transparent proxying  
+  
+ !Proxy Auth with [NTLM] 
  
 A full working example on having a Squid proxy pick up user information from NTLM and a MicrosoftWindows ActiveDirectory. This will allow anyone in the AD Group "Internet" to have full access to the internet, and anyone in "Domain Users" (and not in "Internet") to access sites in the "/etc/squid-allowedsites" file only. 
  
 If you are using InternetExplorer or newer [Mozilla] browsers (on MicrosoftWindows), this will work transparently using NTLM Authentication. If you're using another browser (or are running [Linux]), you'll be prompted for a username and password. 
  
-Using [ Squid] 2.5STABLE3 and [ Samba] 2 .2 .8a. Squid was recompiled with all winbind helpers and samba was recompiled with challenge-auth
+The format for authentication helpers has changed as of Samba 3. This example works with Squid 2.5STABLE3 and Samba 3 . .10
  
-Initially we tried to use transparent proxying AND NTLM auth, as all indications were that this should work. In practice it does not - it seems there are bugs in squid which prevent this
+Initially we tried to use transparent proxying AND NTLM auth, as all indications were that this should work. In practice it does not - see below
  
-After installation of all packages and config files, samba must be joined to the domain with the command "smbpasswd -j DOMAIN -r PDC -U Administrator" - this will prompt you for the admin password. 
+After installation of all packages and config files, samba must be joined to the domain with the command <tt>net join -U Administrator</tt> - this will prompt you for the admin password. Then, teach Winbind the domain credentials: <tt>wbinfo --set-auth-user Administrator%password</tt>
  
-At every boot, samba and winbind must be started, and winbind must auth to the domain with the command: "winbind -A DOMAIN\\Administrator%password"
+At every boot, Winbind must be started. Packages do this for you automatically
  
 Config files: 
  
 !squid.conf 
  
 <verbatim> 
-hierarchy_stoplist cgi-bin ?  
-  
-auth_param ntlm program /usr/lib /squid/wb _ntlmauth -d  
+# This configuration file is setup for NTLM authentication  
+#  
+# Set NTLM parameters  
+auth_param ntlm program /usr/bin /ntlm _auth --helper-protocol=squid-2.5 -ntlmssp  
 auth_param ntlm children 5 
 auth_param ntlm max_challenge_reuses 0 
 auth_param ntlm max_challenge_lifetime 2 minutes 
  
-#auth_param basic program /usr/lib /squid/wb _auth -d  
-# auth_param basic children 5  
-# auth_param basic realm Squid proxy-caching web server  
-# auth_param basic credentialsttl 2 hours 
+# Set basic parameters  
+ auth_param basic program /usr/bin /ntlm _auth --helper-protocol=squid-2.5-basic  
+auth_param basic children 5  
+auth_param basic realm Squid proxy-caching web server  
+auth_param basic credentialsttl 2 hours  
+  
+# Don't query neighbours for dynamic pages  
+hierarchy_stoplist cgi-bin ?  
  
+# Don't cache replies on dynamic pages  
 acl QUERY urlpath_regex cgi-bin \? 
 no_cache deny QUERY 
  
+# Define ACLs  
 acl all src 0.0.0.0/0.0.0.0 
 acl allsites dst 0/0 
 acl manager proto cache_object 
 acl localhost src 127.0.0.1/255.255.255.255 
 acl localnet src 192.168.99.0/255.255.255.0 
  
-acl allowedsites dstdomain "/etc/squid- allowedsites"  
-external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb _group -c  
-acl FullUsers external NT_global_group "/etc/squid- fullusers" 
+acl allowedsites url_regex "/etc/squid/ allowedsites"  
+external_acl_type ntgroup %LOGIN /usr/lib/squid/wbinfo _group.pl  
+acl fullusers external ntgroup "/etc/squid/ fullusers" 
  
-acl SSL _ports port 443 563  
+http _access allow localhost  
+http_access allow localnet allowedsites  
+http_access allow fullusers  
+http_access deny all  
  
-#acl purge method PURGE  
-#acl CONNECT method CONNECT  
-#http_access allow manager localhost  
-#http_access deny manager  
-#http_access allow purge localhost  
-#http_access deny purge  
-#http_access deny CONNECT !SSL_ports  
-#http _access allow localhost  
+# Allow ICP queries from all  
+icp _access allow all  
  
-#http_access allow localnet  
-  
-http_access allow allowedsites  
-http_access allow FullUsers  
-http_access deny all  
-icp_access allow all  
+# Hostname  
 visible_hostname firewall.example.co.nz 
 </verbatim> 
  
 !/etc/squid-allowedsites 
@@ -190,47 +191,51 @@
 <verbatim> 
 Internet 
 </verbatim> 
  
-(These are checked against __groups only__) 
+(These are checked against __groups only__).  
  
 !/etc/smb.conf 
 <verbatim> 
-#======================= Global Settings =======================  
-  
 [global] 
+ # general options  
+ workgroup = EXAMPLE  
+ netbios name = FIREWALL  
  
-workgroup = EXAMPLE  
-password server = ADSNAME  
-security = domain  
-encrypt passwords = true  
-winbind uid = 10000-20000  
-winbind gid = 10000-20000  
-winbind enum users = yes  
-winbind enum groups = yes  
-winbind use default domain = yes  
-winbind cache time = 3  
-log file = /var/log/samba/log.%m  
-max log size = 1000  
-syslog =  
-wins server = 10.7. .114  
-wins proxy = yes  
+ # winbindd configuration  
+ # default winbind separator is \, which is good if you  
+ # use mod_ntlm since that is the character it uses.  
+ # users only need to know the one syntax  
+ # winbind separator = \  
+  
+ # idmap uid and idmap gid are aliases for  
+ # winbind uid and winbid gid, respectively  
+ idmap uid = 10000-20000  
+ idmap gid = 10000-20000  
+ winbind enum users = yes  
+ winbind enum groups = yes  
+ # makes wbinfo able to see groups  
+ client schannel = no  
+  
+ security = ads  
+ realm = example.co.nz  
+ password server = 10.7.x .x  
 </verbatim> 
  
+You will also need to allow the user ID Squid is running as to write to the <tt>/var/lib/samba/winbindd_privileged</tt>  
+directory or you will get authentication failures (with errors written to cache.log).  
  
-! Samba 3.x  
+! Transparent proxy and authentication  
  
-If you 're using Samba 3 .x, you can no longer use the Squid wb_* helpers. Instead, you have to use the Samba -supplied helpers themselves
+This can 't work . An [excellent post on the topic to the Squid users list|http://www.squid -cache.org/mail-archive/squid-users/200202/0147.html] summarises why
  
-<verbatim >  
-# NTLM proxy auth  
-auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2 .5-ntlmssp  
+> HTTP specifies two "authentication required" error codes. One for a HTTP server (401), the other for a HTTP proxy (407). When a browser connects to a server requiring authentication, the server examines the HTTP header supplied in the request. If it includes the correct authentication information (username and password) the request is honoured and the server sends back a return code of 200. If the authentication information is not present in the header, the server responds with a return code of 401. When the browser sees this it pops up the authentication window where you type your username and password. The browser then re-submits the original request this time containing the authentication information it just collected. All future requests to the server will contain the authentication information.  
+>  
+> Proxy authentication is handled in a similar manner. A browser that knows it's using a proxy (in tranparent proxying, this is NOT the case) makes a connection to the proxy and issues an HTTP request. That request can contain proxy authentication information. Note that this is in a different part of the HTTP request to the web server authentication information. If the proxy requires authentication and the proxy- auth HTTP header is empty, the proxy responds with a return code of 407. When the browser receives this it pops up a window asking for the proxy username and password. Once you've typed it in, the browser resubmits the original request this time containing the proxy authentication information. All further requests to the proxy will contain the authentication information.  
+>  
+> If a browser is not configured to use a proxy, it will quite rightly ignore any return code of 407 . Why should it give away your proxy username and password to anyone who asks for it?  
  
-# HTTP basic proxy auth  
- auth_param basic program /usr/bin/ntlm_auth --helper-protocol =squid-2 .5-basic  
-</verbatim>  
+> In your case you have browser->transparent proxy-> auth proxy. The auth proxy can certainly request authentication of the transparent proxy. The cache _peer config line supports this with the "login =user:password" option. However, all that does is authenticate the proxy with its parent. There is no way to make the transparent proxy authenticate individual users. Even if the 407 sent by the auth proxy, could be passed from transparent proxy to browser (it can't because the transparent proxy traps it) you cannot make the browser respond because as far as it knows, it isn't using a proxy
  
-Its a good idea to supply both NTLM and HTTP Basic authenticators so that non-IE browsers can use the  
-proxy as well.  
+> As has been stated many, many times on this list:  
  
-You will also need to allow the user ID Squid is running as to write to the <tt >/var/lib/samba/winbindd_privileged</tt>  
-directory or you will get authentication failures (with errors written to cache.log)
+> transparency, authentication, pick one