Re: [squid-users] Squid and NTLM passthrough

From: Luís Fernando C. Talora <talora-listas@dont-contact.us>
Date: Tue, 16 Jan 2007 09:41:01 -0200

Steffan,

I use Squid and NTLM passthrough auth. The credentials used during login
are automatically passed to Squid to allow/block user access to this or
that ACL. It works just fine. The only problem I had is that I hat to
manually insert users on Squid lists (on the "domain\username" format).
I had to that because I don´t like Winbind - during the Active Directory
replication intervals, user information obtained with winbind - such as
group membership, account status and other important stuff - may not be
the up to date. I solved that building a script that uses openldap
clients to import the list of users allowed to access the Internet from
the Active Diretory Domain Controller - if the user is in this OU,
he/she has access; if he/she´s not, he doesn´t have.

The configuration is quite simple:

=============== squid.conf ===============
# "DOMAIN" is your AD domain ; "server1" and "server2" are the Netbios
names
# of your domain controllers (you can specify more servers, if you want)
auth_param ntlm program /usr/lib/squid/ntlm_auth DOMAIN/server1
DOMAIN/server2
auth_param ntlm children 40
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off

# Making the authentication a requirement
acl password proxy_auth REQUIRED

# Example of user ACLs
acl common_users proxy_auth "/etc/squid/lists/common_users.auth"
acl vip_users proxy_auth "/etc/squid/lists/vip_users.auth"

# Blocked keyworks in URLs (Regular Expressions)
acl trash url_regex -i "/etc/squid/lists/trash.url"
# Webmail sites
acl webmail url_regex -i "/etc/squid/lists/webmail.url"

# Blocked file extensions - for everyone´s safety
acl bad_extensions url_regex -i "/etc/squid/lists/bad_extensions.url"

# ---- http_access rules -----

# Blocking unsafe files for everyone
http_access deny bad_extensions all

# Allowing vip users to access everything
http_access allow vip_users all

# Disallowing common users to access "trash" and "webmail"
http_access deny common_users trash
http_access deny common_users webmail

# Allowing common users to access other sites
http_access allow common_users password

# Denying everything to everyone
http_access deny all
=============================================

========== Sample "common_users.auth" file ===========
# Everyone that have access to the Internet
mydomain\leeoswald
mydomain\pmacartney
mydomain\fmulder
mydomain\peppin
mydomain\fbaggins
mydomain\joliva
=============================================

========== Sample "common_users.auth" file ===========
mydomain\sauron # The President/CEO
mydomain\nazgul # Mr. Sauron´s secretary (almost doesn´t work, but
complains a lot)
mydomain\cmanson # HR Manager - Better not to bother him :)
=============================================

========== Sample "webmail.url" file ===========
# List of regular expressions that mean that user is
# trying to access some webmail service
webmail
^http\://mail\.yahoo
hotmail
zipmail
myrealbox
.*/(web)?mail
# Insert your own expressions
=============================================

========== Sample "trash.url" file ===========
# List of regular expressions that mean that user is
# trying to access some blocked websites
porn
xxx
pornography
chat
orkut
mp3
=============================================

========== Sample "bad_extensions.url" file ===========
# List of regular expressions that mean that user is
# trying to access some blocked files
.*\.exe$($|\?)
.*\.bat($|\?)
# Or, making it more simple:
.*\.(exe|bat|com|scr|cmd|pif|reg|vbs)($|\?)
=============================================

Hope it helps!

Regards,

Luis Talora

Steffan Corley escreveu:
> I understand from Henrik Nordstrom's message on 1st September 2006
> that Squid 2.6 supports NTLM passthrough.
>
> I need to implement a Squid cache in front of an upstream proxy
> running ISA server (which is at the enterprise level). The ISA server
> authenticates using NTLM and then uses WebSense to filter web
> results. Crucially, while one user may be filtered for a particular
> site, another user may have access to that site.
>
> Unfortuately, I have no control over the ISA server set up and no way
> to bypass it.
>
> Is this possible? I see two possible problems:
>
> 1. Is NTLM passthrough actually implemented? I can find nothing in
> the Squid documentation. Does it do what I would need for this to
> actually work (i.e. maintain a 1-1 mapping between client connections
> and connections to the upstream proxy)?
>
> 2. Will the cached pages get served to different users without
> checking whether the upstream ISA server would have blocked them for
> this user? I.e. if user A visits www.dodgy.com and is not blocked by
> ISA server, will www.dodgy.com be served from the cache to user B
> regardless of whether the ISA server would have blocked them or not.
>
> Thanks for any help.
>
> Steffan
>
>
>
Received on Tue Jan 16 2007 - 04:42:03 MST

This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:01 MST