[squid-users] Squid - Dans - squid from Alan Araujo on 2007-03-06 (squid-users)

From: Alan Araujo <alantazz@dont-contact.us>
Date: Tue, 6 Mar 2007 09:39:08 -0300

Hi,

I install a solution Squid - dansguardian - squid and the acces log is
not showing the user-logon-name and source IP.

When we put NTLM and ACLs we receive access denied.

Squid conf 1:

cache_effective_user squid
cache_effective_group squid
http_port 3128
cache_dir aufs /cache 28000 16 256
pid_filename /var/run/squid/squid.pid
cache_peer 127.0.0.1 parent 8080 0 no-query login=*:nopassword
forwarded_for on # PASSA IP DOS CLIENTES PARA O DANSGUARDIAM
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
#access_log /var/log/squid/access_barcelona.log squid
#useragent_log /var/log/squid/useragent.log # SOMENTE HABILITE PARA
AUDITAR USER-AGENT DE BROWSERS
log_mime_hdrs on
cache_store_log none
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_reply_access allow all
icp_access allow all
coredump_dir /usr/local/squid/var/cache
dns_nameservers 10.12.0.33 10.12.0.37

[root@barcelona ~]# clear
[root@barcelona ~]# cat /usr/local/squid/etc/squid.conf
cache_effective_user squid
cache_effective_group squid
http_port 3128
cache_dir aufs /cache 28000 16 256
pid_filename /var/run/squid/squid.pid
cache_peer 127.0.0.1 parent 8080 0 no-query login=*:nopassword
forwarded_for on # PASSA IP DOS CLIENTES PARA O DANSGUARDIAM
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
#access_log /var/log/squid/access_barcelona.log squid
#useragent_log /var/log/squid/useragent.log # SOMENTE HABILITE PARA
AUDITAR USER-AGENT DE BROWSERS
log_mime_hdrs on
cache_store_log none
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
http_reply_access allow all
icp_access allow all
coredump_dir /usr/local/squid/var/cache
dns_nameservers 10.12.0.33 10.12.0.37

Squid NTLM conf 2 :
cache_effective_user squid
cache_effective_group squid
http_port 127.0.0.1:3030
cache_dir null /dev/null
pid_filename /var/run/squid/squid-ntlm.pid
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

# FAKE AUTH

auth_param ntlm program /usr/local/squid/libexec/fakeauth_auth
auth_param ntlm children 30

# NTLM

#auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
#auth_param ntlm children 30

access_log /var/log/squid/access_barcelona.log squid
cache_store_log none

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

# Busca os grupos no AD
external_acl_type nt_group children=30 %LOGIN
/usr/local/squid/libexec/wbinfo_group.pl

# ACL Dos usuarios autenticados
acl usuarios_autenticados proxy_auth REQUIRED

# ACL de acesso

acl webbloqueada external nt_group WEBBLOQUEADA
acl webliberada external nt_group WEBLIBERADA

# ACL de teste para a SESRE

acl sesre external nt_group SESRE

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#acl ntlm proxy_auth REQUIRED
http_access allow localhost
#http_access allow ntlm
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow usuarios_autenticados all
http_access allow webliberada all
http_access allow sesre all

#http_access allow all

#http_reply_access allow all

http_reply_access allow webliberada
http_reply_access allow sesre

http_access deny all
http_reply_access deny all

icp_access allow all
coredump_dir /usr/local/squid/var/cache
dns_nameservers 10.12.0.33 10.12.0.37

Thanks for helping,
Received on Tue Mar 06 2007 - 05:39:21 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 31 2007 - 13:00:01 MDT