Squid: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| (25 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Description == | == Description == | ||
Now that our Samba is connected to our Windows ADS we can start to authentificate our Squid users against Windows ADS Accounts and/or Groups. | Now that our [[Samba]] is connected to our Windows ADS we can start to authentificate our [[Squid]] users against Windows ADS Accounts and/or Groups. | ||
In this setup we also have an additional caching firewall proxy content-filter (cache_peer) infront of our [[Squid]] machine. | |||
We also enable [[Net-SNMP|SNMP]] queries which we can feed to [[MRTG]] to produce nice graphs later on. | |||
== Dependencies == | == Dependencies == | ||
| Line 7: | Line 11: | ||
== USE-Flags == | == USE-Flags == | ||
{{ | {{File|/etc/portage/package.use| | ||
<pre> | <pre> | ||
net-proxy/squid samba snmp | net-proxy/squid kerberos samba snmp | ||
</pre> | </pre> | ||
}} | }} | ||
== | == Installation == | ||
{{ | {{Root|emerge squid}} | ||
}} | |||
Allow squid to use samba winbind by changing group ownership of the winbindd_privileged directory to the group squid runs under. | |||
{{ | {{Root|chown root:squid /var/cache/samba/winbindd_privileged}} | ||
{{ | {{Root|chmod 750 /var/cache/samba/winbindd_privileged}} | ||
== Configuration == | == Configuration == | ||
{{ | {{File|/etc/squid/squid.conf| | ||
TAG: auth_param | TAG: external_acl_type | ||
<pre> | |||
# check logged in users group membership using wbinfo from samba | |||
external_acl_type NT_global_group children-max=20 ttl=900 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl | |||
</pre> | |||
*TAG: auth_param | |||
<pre> | <pre> | ||
# | # NTLM authentification (automatic authentification against AD) | ||
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp | auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp | ||
auth_param ntlm children | auth_param ntlm children 20 startup=0 idle=1 | ||
auth_param ntlm keep_alive on | auth_param ntlm keep_alive on | ||
# Basic authentification (manual user/password authentification against AD) | |||
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic | auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic | ||
auth_param basic children 5 | auth_param basic children 20 startup=5 idle=1 | ||
auth_param basic realm Squid proxy-caching web server | auth_param basic realm Squid proxy-caching web server | ||
auth_param basic credentialsttl 2 hours | auth_param basic credentialsttl 2 hours | ||
</pre> | |||
*TAG: acl | |||
<pre> | |||
# Recommended minimum configuration: | |||
acl manager proto cache_object | |||
acl localhost src 127.0.0.1/32 | |||
acl to_localhost dst 127.0.0.0/8 | |||
# acl <aclname> <acltype> <definition> | |||
# Members of the ADS group WWW | |||
acl ProxyUsers external NT_global_group WWW | |||
# Need to be authorized | |||
acl AuthorizedUsers proxy_auth REQUIRED | |||
# Domains accessible via our intranet | |||
acl local-servers dstdomain .intra .intranet | |||
# IP's accessible via our intranet | |||
acl local-network dst 10.0.0.0/8 | |||
# SNMP access | |||
acl snmppublic snmp_community public | |||
# Comment out, we don't want access for the whole localnet | |||
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network | |||
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network | |||
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network | |||
# | |||
acl SSL_ports port 443 | |||
acl Safe_ports port 80 # http | |||
acl Safe_ports port 21 # ftp | |||
acl Safe_ports port 443 # https | |||
acl Safe_ports port 70 # gopher | |||
acl Safe_ports port 210 # wais | |||
acl Safe_ports port 1025-65535 # unregistered ports | |||
acl Safe_ports port 280 # http-mgmt | |||
acl Safe_ports port 488 # gss-http | |||
acl Safe_ports port 591 # filemaker | |||
acl Safe_ports port 777 # multiling http | |||
acl Safe_ports port 901 # SWAT | |||
acl purge method PURGE | |||
acl CONNECT method CONNECT | |||
</pre> | |||
*TAG: http_access | |||
<pre> | |||
# Recommended minimum configuration: | |||
# | |||
# Only allow cachemgr access from localhost | |||
http_access allow manager localhost | |||
http_access deny manager | |||
# Only allow purge requests from localhost | |||
http_access allow purge localhost | |||
http_access deny purge | |||
# Deny requests to unknown ports | |||
http_access deny !Safe_ports | |||
# Deny CONNECT to other than SSL ports | |||
http_access deny CONNECT !SSL_ports | |||
# Comment out, we don't want access for the whole localnet | |||
#http_access allow localnet | |||
# Allow the localhost to have access by default | |||
http_access allow localhost | |||
# Allow intranet access for unauthorized/all users | |||
http_access allow local-servers | |||
http_access allow local-network | |||
# Allow access for authorized users | |||
http_access allow AuthorizedUsers ProxyUsers | |||
# And finally deny all other access to this proxy | |||
http_access deny all | |||
</pre> | |||
*TAG: icp_access | |||
<pre> | |||
# Comment out since we don't have a localnet acl anymore | |||
#icp_access allow localnet | |||
icp_access deny all | |||
</pre> | |||
*TAG: htcp_access | |||
<pre> | |||
# Comment out since we don't have a localnet acl anymore | |||
#htcp_access allow localnet | |||
htcp_access deny all | |||
</pre> | |||
*TAG: http_port | |||
<pre> | |||
# Squid normally listens to port 3128 | |||
http_port 3128 | |||
</pre> | |||
*TAG: cache_peer | |||
<pre> | |||
# Optional: Tell our Squid to send everything to our content-filter/firewall gateway | |||
# Comment this out if you don't have another proxy infront of Squid | |||
cache_peer fw.yourdomain.local parent 8080 7 no-query no-delay default | |||
</pre> | |||
*TAG: hierarchy_stoplist | |||
<pre> | |||
hierarchy_stoplist cgi-bin ? | |||
</pre> | |||
*TAG: access_log | |||
<pre> | |||
access_log /var/log/squid/access.log squid | |||
</pre> | |||
*TAG: refresh_pattern | |||
<pre> | |||
# Suggested default: | |||
refresh_pattern ^ftp: 1440 20% 10080 | |||
refresh_pattern ^gopher: 1440 0% 1440 | |||
refresh_pattern (cgi-bin|\?) 0 0% 0 | |||
refresh_pattern . 0 20% 4320 | |||
</pre> | |||
*TAG: cache_mgr | |||
<pre> | |||
cache_mgr administrator@yourdomain.local | |||
</pre> | |||
*TAG: snmp_port | |||
<pre> | |||
# Make our Squid listen for SNMP queries on port 3401 | |||
snmp_port 3401 | |||
</pre> | |||
*TAG: snmp_access | |||
<pre> | |||
# Allow localhost to query our Squid and deny all others | |||
snmp_access allow snmppublic localhost | |||
snmp_access deny all | |||
</pre> | |||
*TAG: icp_port | |||
<pre> | |||
icp_port 3130 | |||
</pre> | |||
*TAG: error_directory | |||
<pre> | |||
# Localize our error messages | |||
error_directory /usr/share/squid/errors/German | |||
</pre> | |||
*TAG: always_direct | |||
<pre> | |||
# Optional: Only required when using a cache_peer | |||
# Tell Squid to bypass our cache_peer for our local servers and networks | |||
always_direct allow local-servers | |||
always_direct allow local-network | |||
</pre> | |||
*TAG: never_direct | |||
<pre> | |||
# Optional: Only required when using a cache_peer | |||
# Tell Squid to use our cache_peer for everything else | |||
never_direct allow all | |||
</pre> | |||
*TAG: forwarded_for | |||
<pre> | |||
forwarded_for off | |||
</pre> | |||
*TAG: coredump_dir | |||
<pre> | |||
# Leave coredumps in the first cache dir | |||
coredump_dir /var/cache/squid | |||
</pre> | </pre> | ||
}} | }} | ||
== Finalize == | == Finalize == | ||
{{ | {{Root|/etc/init.d/squid start}} | ||
{{Root|rc-update add squid default}} | |||
== Testing == | |||
{{Root|snmpwalk -Cc -v1 -c public -m /usr/share/squid/mib.txt localhost:3401 .1.3.6.1.4.1.3495}} | |||
== Issues & Fixes == | |||
=== cache.log: WARNING: All xx/xx ntlmauthenticator processes are busy === | |||
<pre> | |||
2013/05/23 07:47:01 kid1| WARNING: All 35/35 ntlmauthenticator processes are busy. | |||
2013/05/23 07:47:01 kid1| WARNING: 35 pending requests queued | |||
2013/05/23 07:47:01 kid1| WARNING: Consider increasing the number of ntlmauthenticator processes in your config file. | |||
</pre> | |||
Raise the children limit to a value which suits your needs. | |||
{{File|/etc/squid/squid.conf| | |||
TAG: auth_param | |||
<pre> | |||
auth_param ntlm children 100 startup=10 idle=5 | |||
</pre> | |||
}} | |||
=== cache.log: WARNING! Your cache is running out of filedescriptors === | |||
First you need to raise the allowed system limits, see [[File_descriptor|File descriptor]]. | |||
{{File|/etc/squid/squid.conf| | |||
TAG: max_filedescriptors | |||
<pre> | |||
max_filedesc 4096 | |||
</pre> | |||
}} | |||
{{Root|squidclient mgr:info}} | |||
<pre> | |||
File descriptor usage for squid: | |||
Maximum number of file descriptors: 4096 | |||
Largest file desc currently in use: 945 | |||
Number of file desc currently in use: 926 | |||
Files queued for open: 0 | |||
Available number of file descriptors: 3170 | |||
Reserved number of file descriptors: 100 | |||
Store Disk files open: 0 | |||
</pre> | |||
== Further Reading == | |||
* [[MRTG]] - Get nice graphs out of your SNMP data | |||
Latest revision as of 17:17, 23 May 2013
Description
Now that our Samba is connected to our Windows ADS we can start to authentificate our Squid users against Windows ADS Accounts and/or Groups.
In this setup we also have an additional caching firewall proxy content-filter (cache_peer) infront of our Squid machine.
We also enable SNMP queries which we can feed to MRTG to produce nice graphs later on.
Dependencies
USE-Flags
File: /etc/portage/package.use
net-proxy/squid kerberos samba snmp
Installation
# emerge squid
Allow squid to use samba winbind by changing group ownership of the winbindd_privileged directory to the group squid runs under.
# chown root:squid /var/cache/samba/winbindd_privileged
# chmod 750 /var/cache/samba/winbindd_privileged
Configuration
File: /etc/squid/squid.conf
TAG: external_acl_type
# check logged in users group membership using wbinfo from samba external_acl_type NT_global_group children-max=20 ttl=900 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl
- TAG: auth_param
# NTLM authentification (automatic authentification against AD) auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 20 startup=0 idle=1 auth_param ntlm keep_alive on # Basic authentification (manual user/password authentification against AD) auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 20 startup=5 idle=1 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours
- TAG: acl
# Recommended minimum configuration: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 # acl <aclname> <acltype> <definition> # Members of the ADS group WWW acl ProxyUsers external NT_global_group WWW # Need to be authorized acl AuthorizedUsers proxy_auth REQUIRED # Domains accessible via our intranet acl local-servers dstdomain .intra .intranet # IP's accessible via our intranet acl local-network dst 10.0.0.0/8 # SNMP access acl snmppublic snmp_community public # Comment out, we don't want access for the whole localnet #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network # acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT
- TAG: http_access
# Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Only allow purge requests from localhost http_access allow purge localhost http_access deny purge # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # Comment out, we don't want access for the whole localnet #http_access allow localnet # Allow the localhost to have access by default http_access allow localhost # Allow intranet access for unauthorized/all users http_access allow local-servers http_access allow local-network # Allow access for authorized users http_access allow AuthorizedUsers ProxyUsers # And finally deny all other access to this proxy http_access deny all
- TAG: icp_access
# Comment out since we don't have a localnet acl anymore #icp_access allow localnet icp_access deny all
- TAG: htcp_access
# Comment out since we don't have a localnet acl anymore #htcp_access allow localnet htcp_access deny all
- TAG: http_port
# Squid normally listens to port 3128 http_port 3128
- TAG: cache_peer
# Optional: Tell our Squid to send everything to our content-filter/firewall gateway # Comment this out if you don't have another proxy infront of Squid cache_peer fw.yourdomain.local parent 8080 7 no-query no-delay default
- TAG: hierarchy_stoplist
hierarchy_stoplist cgi-bin ?
- TAG: access_log
access_log /var/log/squid/access.log squid
- TAG: refresh_pattern
# Suggested default: refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320
- TAG: cache_mgr
cache_mgr administrator@yourdomain.local
- TAG: snmp_port
# Make our Squid listen for SNMP queries on port 3401 snmp_port 3401
- TAG: snmp_access
# Allow localhost to query our Squid and deny all others snmp_access allow snmppublic localhost snmp_access deny all
- TAG: icp_port
icp_port 3130
- TAG: error_directory
# Localize our error messages error_directory /usr/share/squid/errors/German
- TAG: always_direct
# Optional: Only required when using a cache_peer # Tell Squid to bypass our cache_peer for our local servers and networks always_direct allow local-servers always_direct allow local-network
- TAG: never_direct
# Optional: Only required when using a cache_peer # Tell Squid to use our cache_peer for everything else never_direct allow all
- TAG: forwarded_for
forwarded_for off
- TAG: coredump_dir
# Leave coredumps in the first cache dir coredump_dir /var/cache/squid
Finalize
# /etc/init.d/squid start
# rc-update add squid default
Testing
# snmpwalk -Cc -v1 -c public -m /usr/share/squid/mib.txt localhost:3401 .1.3.6.1.4.1.3495
Issues & Fixes
cache.log: WARNING: All xx/xx ntlmauthenticator processes are busy
2013/05/23 07:47:01 kid1| WARNING: All 35/35 ntlmauthenticator processes are busy. 2013/05/23 07:47:01 kid1| WARNING: 35 pending requests queued 2013/05/23 07:47:01 kid1| WARNING: Consider increasing the number of ntlmauthenticator processes in your config file.
Raise the children limit to a value which suits your needs.
File: /etc/squid/squid.conf
TAG: auth_param
auth_param ntlm children 100 startup=10 idle=5
cache.log: WARNING! Your cache is running out of filedescriptors
First you need to raise the allowed system limits, see File descriptor.
File: /etc/squid/squid.conf
TAG: max_filedescriptors
max_filedesc 4096
# squidclient mgr:info
File descriptor usage for squid:
Maximum number of file descriptors: 4096
Largest file desc currently in use: 945
Number of file desc currently in use: 926
Files queued for open: 0
Available number of file descriptors: 3170
Reserved number of file descriptors: 100
Store Disk files open: 0
Further Reading
- MRTG - Get nice graphs out of your SNMP data