[squid-users] Squid on W2K w/ AD Authentication

From: James Bruce <jbruce@dont-contact.us>
Date: Wed, 19 Jan 2005 12:53:12 -0600

I wanted to say a very many thanks to the people who made squid work on NT
and the support this list provides. Without everyones help our company would
of spent close to $1000 on ISA. Instead we are now using squid with Active
Directory Authentication. I've included my squid.config to maybe help any
others that might come across this thread. I realize my config is not
prefect but hopefully it's a base for others to work off of. Once again
thank you everyone for your help. Thank you Guido for pointing me in the
right direction.

Situation: We needed an in house solution to restrict internet access to our
emplyees. We have three different groups of employees that required access
to different sites. Instead of only blocking certain sites for these three
groups, I decided to only allow certain sites(the list was much shorter). We
also needed everyone to have full internet access during the lunch hour.

Solution: I have created three global distribution groups in Active
Directory. Restricted_Web_Access, Acct_Web_Access, Unrestricted_Web_Access
each group consist of users and groups.

If anyone would like to post information on how to improve this config
please feel free.

Few issues I have noticed with this is when you listen to launchcast it will
ask you for a login after each song. Also when you listen to streaming audio
when you restart squid it stops the stream even though squid only takes 15
sec's to stop and restart. Right now I'm going to try to work on some sort
of buffer to help prevent this.

Here is my squid.conf if anyone ever needs it for a skeleton.

http_port 192.168.0.135 3128
cache_mem 2 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 250 KB
cache_dir ufs C:/squid/var/cache 100 16 256
cache_access_log C:/squid/var/logs/access.log
cache_log C:/squid/var/logs/cache.log
cache_store_log C:/squid/var/logs/store.log
emulate_httpd_log on
log_ip_on_direct on
mime_table C:/squid/etc/mime.conf
log_fqdn on
fqdncache_size 1024
client_netmask 255.255.255.255
client_lifetime 1 day
unlinkd_program c:/squid/libexec/unlinkd.exe

auth_param ntlm program C:/squid/libexec/win32_ntlm_auth.exe
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

#The allowed domains for Restricted Web Users
acl Restricted_Web_Access dstdomain .il.us
acl Restricted_Web_Access dstdomain .mil
acl Restricted_Web_Access dstdomain .msn.com
acl Restricted_Web_Access dstdomain .windowsupdate.com
acl Restricted_Web_Access dstdomain .edu
acl Restricted_Web_Access dstdomain .gov
acl Restricted_Web_Access dstdomain .acfenvironmental.com
acl Restricted_Web_Access dstdomain .adobe.com
acl Restricted_Web_Access dstdomain .aehs.com
acl Restricted_Web_Access dstdomain .aehsmag.com
acl Restricted_Web_Access dstdomain .afr.net
acl Restricted_Web_Access dstdomain .agu.org
acl Restricted_Web_Access dstdomain .americanexpress.com
acl Restricted_Web_Access dstdomain .aol.com
acl Restricted_Web_Access dstdomain .api.org

**Note: Really long list

#The allowed domains for Restricted Acct Users
acl Acct_Web_Access dstdomain .1035thex.com
acl Acct_Web_Access dstdomain .53.com
acl Acct_Web_Access dstdomain .98rock.com
acl Acct_Web_Access dstdomain .afr.net
acl Acct_Web_Access dstdomain .aicpa.com
acl Acct_Web_Access dstdomain .aig.com
acl Acct_Web_Access dstdomain .aigcs.net
acl Acct_Web_Access dstdomain .akamai.net

**Note: Really long list

acl all src 0.0.0.0/0.0.0.0
acl localhost src 192.168.0.0/24
acl manager proto cache_object
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl SSL_ports port 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 2880
acl Safe_ports port 2280
acl Safe_ports port 110
acl Safe_ports port 5900
acl Safe_ports port 5800
acl Safe_ports port 8080
acl Safe_ports port 8000
acl Safe_ports port 8181
acl Safe_ports port 5061
acl Safe_ports port 5004
acl Safe_ports port 8081
 
acl lunchtime time MTWTF 12:00-13:00

acl RestrictedACL proxy_auth REQUIRED

external_acl_type ADgroup %LOGIN c:/squid/libexec/win32_check_group.exe

acl RestrictedUsers external ADgroup Restricted_Web_Access
acl AcctUsers external ADgroup Acct_Web_Access
acl Unrestrict external ADgroup Unrestricted_Web_Access

http_access allow localhost lunchtime
http_access allow manager localhost
http_access deny manager
http_access allow RestrictedUsers Restricted_Web_Access RestrictedACL
http_access deny RestrictedUsers
http_access allow AcctUsers Acct_Web_Access RestrictedACL
http_access deny AcctUsers
http_access allow Unrestrict all RestrictedACL

http_access deny to_localhost
http_access allow SSL_ports
http_access allow Safe_ports

cache_mgr Squidcache@mydomain.com
cache_effective_user nobody
unique_hostname squidtest 192.168.0.10
announce_period 1 day
icon_directory C:\squid\share\icons
error_directory C:\squid\share\errors\English
coredump_dir c:/squid/var/cache
debug_options ALL,1 33,2

James Bruce
Network Administrator
EcoDigital Development Group
(618) 735-2411 x: 180
jbruce@ecodigitaldevelopment.com
Received on Wed Jan 19 2005 - 11:53:15 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST