[squid-users] squid, NTLM and dansguardian

From: Timothy Larrea <webmaster@dont-contact.us>
Date: Thu, 13 Sep 2007 12:12:03 +1000

At the moment I have squid setup to use NTLM authentication
transparently, and control access to the internet based on active
directory group membership. What I'd like to do now is have all traffic
that doesn't originate from the localhost to go parent cache which is
dansguardian on same machine. DG then of course redirects traffic back
to squid which allows the traffic coming from localhost through to the
net.

So: Squid (NTLM auth) -> DG -> Squid -> Internet.

What I don't understand is how to mix the http_access rules I'm
currently wanting to use, with DG, since from what I can understand, the
http_access is ignored as the traffic isn't actually going through, but
rather be redirected to the parent proxy? Can I simply replace my
http_access rules with cache_peer_access?

Squid.conf snippets.

http_port 3128

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10

auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 hours

external_acl_type wb_group ttl=60 %LOGIN /usr/lib/squid/wbinfo_group.pl

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

cache_peer 127.0.0.1 parent 8080 3130
cache_peer_access 127.0.0.1 deny localhost
always_direct allow localhost

acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 443 563 # https
acl FTP_ports port 21 # ftp
acl Java_ports port 1026
acl Mail_ports port 25 110 # pop3, smtp

acl adminpcs src "/etc/squid/adminpcs.txt"
acl staff external wb_group Staff
acl nonet external wb_group NoInternet
acl students external wb_group wcstudents

acl alllabs src "/etc/squid/alllabs.txt"
acl firewall dst 192.168.0.9
acl enabledlabs src "/etc/squid/enabledlabs.txt"

acl purge method PURGE
acl CONNECT method CONNECT
acl auth proxy_auth REQUIRED

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access deny nonet
http_access allow admins FTP_ports
http_access allow adminpcs all
http_access allow Java_ports
http_access allow staff Mail_ports
http_access allow students Safe_ports enabledlabs !firewall
http_access allow staff Safe_ports

http_access deny all
http_reply_access allow all
icp_access allow all
Received on Wed Sep 12 2007 - 20:12:18 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Oct 01 2007 - 12:00:02 MDT