Chris Robertson wrote:
> Phibee Network Operation Center wrote:
>> Hi
>>
>> i have a new problems with my Squid Server (NTLM AD)
>>
>> My configuration:
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 15
>> auth_param ntlm keep_alive on
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 15
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>> #external_acl_type AD_Group children=50 concurrency=50 %LOGIN
>> /usr/lib/squid/wbinfo_group.pl
>> external_acl_type AD_Group children=50 concurrency=50 ttl=1800
>> negative_ttl=900 %LOGIN /usr/lib/squid/wbinfo_group.pl
>>
>> cache_peer 127.0.0.1 parent 8081 0 proxy-only no-query
>> weight=100 connect-timeout=5 login=*:password
>>
>> ## ACL des droits d'accès
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/32
>> acl to_localhost dst 127.0.0.0/8
>> acl Lan src 10.0.0.0/8 # RFC1918 possible internal network
>> acl Lan src 172.16.0.0/12 # RFC1918 possible internal network
>> acl Lan src 192.168.0.0/16 # RFC1918 possible internal network
>>
>>
>> ######################################################################
>> ## ACL pour les sites web consultable sans authentification
>> ######################################################################
>> acl URL_Authorises dstdomain "/etc/squid-ntlm/allowedURL"
>> http_access allow URL_Authorises
>
> Are you sure you don't want to add additional restrictions to the
> http_access allow (such as a limitation on the source IP, or something)?
>
>> ######################################################################
>>
>> acl SSL_ports port 443 563 10000 1494 2598
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 563 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>>
>> #http_access allow manager localhost
>> http_access deny manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>>
>> ######################################################################
>> # ACL pour definir les groupes AD autorisés a ce connecter
>> ######################################################################
>> acl AllowedADUsers external AD_Group "/etc/squid-ntlm/allowedntgroups"
>> acl Winbind proxy_auth REQUIRED
>> ######################################################################
>>
>>
>> ######################################################################
>> # ACL pour les Droits d'accès d'apres l'Active Directory
>> ######################################################################
>> # Droits d'accès d'apres l'Active Directory
>> http_access allow AllowedADUsers
>> http_access deny !AllowedADUsers
>> http_access deny !Winbind
>
> These two deny lines are redundant, as everything is denied by the next
> line...
Almost, but not quite.
Since he is using "allow AllowedADUsers" there will be no forced login.
The two denials are required to kick that 407 back at the visitor
instead of 403.
>
>> ######################################################################
>>
>> http_access deny all
>>
>>
>> ######################################################################
>> # Parametre Systeme
>> ######################################################################
>> http_port 8080
>> hierarchy_stoplist cgi-bin ?
>> cache_mem 16 MB
>> #cache_dir ufs /var/spool/squid-ntlm 5000 16 256
>> cache_dir null /dev/null
>> #logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A
>> %mt
>> #logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un
>> %Sh/%<A %mt [%>h] [%<h]
>> #logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
>> logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
>> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
>> access_log /var/log/squid-ntlm/access.log squid
>> cache_log /var/log/squid-ntlm/cache.log
>> cache_store_log /var/log/squid-ntlm/store.log
>> # emulate_httpd_log off
>> mime_table /etc/squid-ntlm/mime.conf
>> pid_filename /var/run/squid-ntlm.pid
>> # debug_options ALL,1
>> log_fqdn off
>> ftp_user proxy_at_gw.phibee.net
>> ftp_passive on
>> ftp_sanitycheck on
>> ftp_telnet_protocol on
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern (cgi-bin|\?) 0 0% 0
>> refresh_pattern . 0 20% 4320
>> icp_port 3130
>> error_directory /usr/share/squid/errors/French
>> icp_access allow Lan
>> icp_access deny all
>> htcp_access allow Lan
>> htcp_access deny all
>>
>>
>> Into my allowedURL, i have:
>>
>> pagesjaunes.fr
>> estat.com
>> societe.com
>> quidonc.fr
>>
>>
>>
>> when i want access to www.pagejaunes.fr, he request a authentification
>> ... i want no authentification
>> and no limitation of surf.
>>
>> Anyone see where is my error ?
>> the correct synthaxe are "pagesjaunes.fr" or ".pagesjaunes.fr" for
>> *.pagesjaunes.fr ?
>
> The second option ".pagesjaunes.fr" will match http://pagesjaunes.fr,
> http://www.pagesjaunes.fr and any other hostname in front of
> pagesjaunes.fr.
>
Correct.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7Received on Wed Apr 22 2009 - 08:46:57 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 22 2009 - 12:00:02 MDT