Home
Main website
Display Sidebar
Hide Ads
Recent Changes
View Source:
SquidNotes
Edit
PageHistory
Diff
Info
LikePages
You are viewing an old revision of this page.
View the current version
.
!!Squid Proxy Auth with NTLM. This will allow anyone in the AD Group "Internet" to have full access to the internet, and anyone in "Domain Users" (and not in "Internet") to access sites in the "/etc/squid-allowedsites" file only. If you are using IE, this will work transparently using NTLM Authentication. If you're using another browser and you'll be prompted for a username and password. Using Squid 2.5STABLE3 and Samba 2.2.8a. Squid was recompiled with all winbind helpers and samba was recompiled with challenge-auth. Initially we tried to use transparent proxying AND NTLM auth, as all indications were that this should work. In practice it does not - it seems there are bugs in squid which prevent this. After installation of all packages and config files, samba must be joined to the domain with the command "smbpasswd -j DOMAIN -r PDC -U Administrator" - this will prompt you for the admin password. At every boot, samba and winbind must be started, and winbind must auth to the domain with the command: "winbind -A DOMAIN\\Administrator%password". Config files: !squid.conf <verbatim> hierarchy_stoplist cgi-bin ? auth_param ntlm program /usr/lib/squid/wb_ntlmauth -d auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes #auth_param basic program /usr/lib/squid/wb_auth -d #auth_param basic children 5 #auth_param basic realm Squid proxy-caching web server #auth_param basic credentialsttl 2 hours acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY acl all src 0.0.0.0/0.0.0.0 acl allsites dst 0/0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl localnet src 192.168.99.0/255.255.255.0 acl allowedsites dstdomain "/etc/squid-allowedsites" external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group -c acl FullUsers external NT_global_group "/etc/squid-fullusers" acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT #acl purge method PURGE #acl CONNECT method CONNECT #http_access allow manager localhost #http_access deny manager #http_access allow purge localhost #http_access deny purge #http_access deny CONNECT !SSL_ports #http_access allow localhost #http_access allow localnet http_access allow allowedsites http_access allow FullUsers http_access deny all icp_access allow all visible_hostname firewall.example.co.nz </verbatim> !/etc/squid-allowedsites <verbatim> .foo.bar .foo.bar.baz </verbatim> !/etc/squid-fullusers <verbatim> Internet </verbatim> (These are checked against __groups only__) !/etc/smb.conf <verbatim> #======================= Global Settings ======================= [global] workgroup = EXAMPLE password server = ADSNAME security = domain encrypt passwords = true winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes #winbind separator = + winbind use default domain = yes winbind cache time = 3 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 wins server = 10.7.0.114 wins proxy = yes </verbatim>
6 pages link to
SquidNotes
:
Squid
UserSubmittedNotes
LinuxServer
LinuxRouterBox
ProxyServerNotes
MattBrown
