Squid

net-proxy/squid kerberos samba snmp

# emerge squid

# chown root:squid /var/cache/samba/winbindd_privileged

# chmod 750 /var/cache/samba/winbindd_privileged

TAG: external_acl_type

# check logged in users group membership using wbinfo from samba
external_acl_type NT_global_group children-max=20 ttl=900 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl

• TAG: auth_param

# NTLM authentification (automatic authentification against AD)
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20 startup=0 idle=1
auth_param ntlm keep_alive on
# Basic authentification (manual user/password authentification against AD)
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 20 startup=5 idle=1
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

• TAG: acl

# Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
# acl <aclname> <acltype> <definition>
# Members of the ADS group WWW
acl ProxyUsers external NT_global_group WWW
# Need to be authorized
acl AuthorizedUsers proxy_auth REQUIRED
# Domains accessible via our intranet
acl local-servers dstdomain .intra .intranet
# IP's accessible via our intranet
acl local-network dst 10.0.0.0/8
# SNMP access
acl snmppublic snmp_community public

# Comment out, we don't want access for the whole localnet
#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
#
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

• TAG: http_access

# Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# Comment out, we don't want access for the whole localnet
#http_access allow localnet

# Allow the localhost to have access by default
http_access allow localhost
# Allow intranet access for unauthorized/all users
http_access allow local-servers
http_access allow local-network
# Allow access for authorized users
http_access allow AuthorizedUsers ProxyUsers

# And finally deny all other access to this proxy
http_access deny all

• TAG: icp_access

# Comment out since we don't have a localnet acl anymore
#icp_access allow localnet
icp_access deny all

• TAG: htcp_access

# Comment out since we don't have a localnet acl anymore
#htcp_access allow localnet
htcp_access deny all

• TAG: http_port

# Squid normally listens to port 3128
http_port 3128

• TAG: cache_peer

# Optional: Tell our Squid to send everything to our content-filter/firewall gateway
# Comment this out if you don't have another proxy infront of Squid
cache_peer fw.yourdomain.local parent 8080 7 no-query no-delay default

• TAG: hierarchy_stoplist

hierarchy_stoplist cgi-bin ?

• TAG: access_log

access_log /var/log/squid/access.log squid

• TAG: refresh_pattern

# Suggested default:
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       20%     4320

• TAG: cache_mgr

cache_mgr administrator@yourdomain.local

• TAG: snmp_port

# Make our Squid listen for SNMP queries on port 3401
snmp_port 3401

• TAG: snmp_access

# Allow localhost to query our Squid and deny all others
snmp_access allow snmppublic localhost
snmp_access deny all

• TAG: icp_port

icp_port 3130

• TAG: error_directory

# Localize our error messages
error_directory /usr/share/squid/errors/German

• TAG: always_direct

# Optional: Only required when using a cache_peer
# Tell Squid to bypass our cache_peer for our local servers and networks
always_direct allow local-servers
always_direct allow local-network

• TAG: never_direct

# Optional: Only required when using a cache_peer
# Tell Squid to use our cache_peer for everything else
never_direct allow all

• TAG: forwarded_for

forwarded_for off

• TAG: coredump_dir

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# /etc/init.d/squid start

# rc-update add squid default

# snmpwalk -Cc -v1 -c public -m /usr/share/squid/mib.txt localhost:3401 .1.3.6.1.4.1.3495

2013/05/23 07:47:01 kid1| WARNING: All 35/35 ntlmauthenticator processes are busy.
2013/05/23 07:47:01 kid1| WARNING: 35 pending requests queued
2013/05/23 07:47:01 kid1| WARNING: Consider increasing the number of ntlmauthenticator processes in your config file.

TAG: auth_param

auth_param ntlm children 100 startup=10 idle=5

TAG: max_filedescriptors

max_filedesc 4096

# squidclient mgr:info

File descriptor usage for squid:
        Maximum number of file descriptors:   4096
        Largest file desc currently in use:    945
        Number of file desc currently in use:  926
        Files queued for open:                   0
        Available number of file descriptors: 3170
        Reserved number of file descriptors:   100
        Store Disk files open:                   0