Squid: Difference between revisions

From Q
Jump to navigation Jump to search
← Older edit
Tgurr (talk | contribs)
1,619 edits
Tgurr (talk | contribs)
1,619 edits
No edit summary
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Description ==
== Description ==
Now that our Samba is connected to our Windows ADS we can start to authentificate our Squid users against Windows ADS Accounts and/or Groups.
Now that our [[Samba]] is connected to our Windows ADS we can start to authentificate our [[Squid]] users against Windows ADS Accounts and/or Groups.
 
In this setup we also have an additional caching firewall proxy content-filter (cache_peer) infront of our [[Squid]] machine.
 
We also enable [[Net-SNMP|SNMP]] queries which we can feed to [[MRTG]] to produce nice graphs later on.


== Dependencies ==
== Dependencies ==
Line 7: Line 11:


== USE-Flags ==
== USE-Flags ==
{{Box File|/etc/portage/package.use|
{{File|/etc/portage/package.use|
<pre>
<pre>
net-proxy/squid samba snmp
net-proxy/squid kerberos samba snmp
</pre>
</pre>
}}
}}


== Packages ==
== Installation ==
{{Box Code|emerge samba -pv|
{{Root|emerge squid}}
<pre>
[ebuild  N    ] net-proxy/squid-3.0.4-r1  USE="pam samba snmp ssl -icap-client (-ipf-transparent) -ldap -logrotate -nis (-pf-transparent) -radius -sasl (-selinux)" 2,361 kB
</pre>
}}


== Installation ==
Allow squid to use samba winbind by changing group ownership of the winbindd_privileged directory to the group squid runs under.
{{Codeline|# emerge squid}}


{{Codeline|# chown root:squid /var/cache/samba/winbindd_privileged}}
{{Root|chown root:squid /var/cache/samba/winbindd_privileged}}


{{Codeline|# chmod 750 /var/cache/samba/winbindd_privileged}}
{{Root|chmod 750 /var/cache/samba/winbindd_privileged}}


== Configuration ==
== Configuration ==
{{Box File|/etc/squid/squid.conf|
{{File|/etc/squid/squid.conf|
TAG: external_acl_type
<pre>
# check logged in users group membership using wbinfo from samba
external_acl_type NT_global_group children-max=20 ttl=900 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl
</pre>
*TAG: auth_param
*TAG: auth_param
<pre>
<pre>
# The acl helper queries our ADS via Samba
# NTLM authentification (automatic authentification against AD)
external_acl_type NT_global_group children=10 ttl=900 %LOGIN /usr/libexec/squid/wbinfo_group.pl
# NTLM authentification
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm children 20 startup=0 idle=1
auth_param ntlm keep_alive on
auth_param ntlm keep_alive on
# Basic authentification
# Basic authentification (manual user/password authentification against AD)
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic children 20 startup=5 idle=1
auth_param basic realm Squid proxy-caching web server
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic credentialsttl 2 hours
Line 198: Line 200:


== Finalize ==
== Finalize ==
{{Codeline|# /etc/init.d/squid start}}
{{Root|/etc/init.d/squid start}}
 
{{Root|rc-update add squid default}}
 
== Testing ==
{{Root|snmpwalk -Cc -v1 -c public -m /usr/share/squid/mib.txt localhost:3401 .1.3.6.1.4.1.3495}}
 
== Issues & Fixes ==
 
=== cache.log: WARNING: All xx/xx ntlmauthenticator processes are busy ===
<pre>
2013/05/23 07:47:01 kid1| WARNING: All 35/35 ntlmauthenticator processes are busy.
2013/05/23 07:47:01 kid1| WARNING: 35 pending requests queued
2013/05/23 07:47:01 kid1| WARNING: Consider increasing the number of ntlmauthenticator processes in your config file.
</pre>
Raise the children limit to a value which suits your needs.
{{File|/etc/squid/squid.conf|
TAG: auth_param
<pre>
auth_param ntlm children 100 startup=10 idle=5
</pre>
}}
 
=== cache.log: WARNING! Your cache is running out of filedescriptors ===
First you need to raise the allowed system limits, see [[File_descriptor|File descriptor]].
 
{{File|/etc/squid/squid.conf|
TAG: max_filedescriptors
<pre>
max_filedesc 4096
</pre>
}}
 
{{Root|squidclient mgr:info}}
 
<pre>
File descriptor usage for squid:
        Maximum number of file descriptors:  4096
        Largest file desc currently in use:    945
        Number of file desc currently in use:  926
        Files queued for open:                  0
        Available number of file descriptors: 3170
        Reserved number of file descriptors:  100
        Store Disk files open:                  0
</pre>


{{Codeline|# rc-update add squid default}}
== Further Reading ==
* [[MRTG]] - Get nice graphs out of your SNMP data

Latest revision as of 17:17, 23 May 2013

Description

Now that our Samba is connected to our Windows ADS we can start to authentificate our Squid users against Windows ADS Accounts and/or Groups.

In this setup we also have an additional caching firewall proxy content-filter (cache_peer) infront of our Squid machine.

We also enable SNMP queries which we can feed to MRTG to produce nice graphs later on.

Dependencies

USE-Flags

File: /etc/portage/package.use
net-proxy/squid kerberos samba snmp

Installation

# emerge squid

Allow squid to use samba winbind by changing group ownership of the winbindd_privileged directory to the group squid runs under.

# chown root:squid /var/cache/samba/winbindd_privileged
# chmod 750 /var/cache/samba/winbindd_privileged

Configuration

File: /etc/squid/squid.conf

TAG: external_acl_type 

# check logged in users group membership using wbinfo from samba
external_acl_type NT_global_group children-max=20 ttl=900 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl
  • TAG: auth_param
# NTLM authentification (automatic authentification against AD)
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20 startup=0 idle=1
auth_param ntlm keep_alive on
# Basic authentification (manual user/password authentification against AD)
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 20 startup=5 idle=1
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
  • TAG: acl
# Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
# acl <aclname> <acltype> <definition>
# Members of the ADS group WWW
acl ProxyUsers external NT_global_group WWW
# Need to be authorized
acl AuthorizedUsers proxy_auth REQUIRED
# Domains accessible via our intranet
acl local-servers dstdomain .intra .intranet
# IP's accessible via our intranet
acl local-network dst 10.0.0.0/8
# SNMP access
acl snmppublic snmp_community public

# Comment out, we don't want access for the whole localnet
#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
#
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
  • TAG: http_access
# Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# Comment out, we don't want access for the whole localnet
#http_access allow localnet

# Allow the localhost to have access by default
http_access allow localhost
# Allow intranet access for unauthorized/all users
http_access allow local-servers
http_access allow local-network
# Allow access for authorized users
http_access allow AuthorizedUsers ProxyUsers

# And finally deny all other access to this proxy
http_access deny all
  • TAG: icp_access
# Comment out since we don't have a localnet acl anymore
#icp_access allow localnet
icp_access deny all
  • TAG: htcp_access
# Comment out since we don't have a localnet acl anymore
#htcp_access allow localnet
htcp_access deny all
  • TAG: http_port
# Squid normally listens to port 3128
http_port 3128
  • TAG: cache_peer
# Optional: Tell our Squid to send everything to our content-filter/firewall gateway
# Comment this out if you don't have another proxy infront of Squid
cache_peer fw.yourdomain.local parent 8080 7 no-query no-delay default
  • TAG: hierarchy_stoplist
hierarchy_stoplist cgi-bin ?
  • TAG: access_log
access_log /var/log/squid/access.log squid
  • TAG: refresh_pattern
# Suggested default:
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       20%     4320
  • TAG: cache_mgr
cache_mgr administrator@yourdomain.local
  • TAG: snmp_port
# Make our Squid listen for SNMP queries on port 3401
snmp_port 3401
  • TAG: snmp_access
# Allow localhost to query our Squid and deny all others
snmp_access allow snmppublic localhost
snmp_access deny all
  • TAG: icp_port
icp_port 3130
  • TAG: error_directory
# Localize our error messages
error_directory /usr/share/squid/errors/German
  • TAG: always_direct
# Optional: Only required when using a cache_peer
# Tell Squid to bypass our cache_peer for our local servers and networks
always_direct allow local-servers
always_direct allow local-network
  • TAG: never_direct
# Optional: Only required when using a cache_peer
# Tell Squid to use our cache_peer for everything else
never_direct allow all
  • TAG: forwarded_for
forwarded_for off
  • TAG: coredump_dir
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

Finalize

# /etc/init.d/squid start
# rc-update add squid default

Testing

# snmpwalk -Cc -v1 -c public -m /usr/share/squid/mib.txt localhost:3401 .1.3.6.1.4.1.3495

Issues & Fixes

cache.log: WARNING: All xx/xx ntlmauthenticator processes are busy

2013/05/23 07:47:01 kid1| WARNING: All 35/35 ntlmauthenticator processes are busy.
2013/05/23 07:47:01 kid1| WARNING: 35 pending requests queued
2013/05/23 07:47:01 kid1| WARNING: Consider increasing the number of ntlmauthenticator processes in your config file.

Raise the children limit to a value which suits your needs.

File: /etc/squid/squid.conf

TAG: auth_param 

auth_param ntlm children 100 startup=10 idle=5

cache.log: WARNING! Your cache is running out of filedescriptors

First you need to raise the allowed system limits, see File descriptor.

File: /etc/squid/squid.conf

TAG: max_filedescriptors 

max_filedesc 4096
# squidclient mgr:info
File descriptor usage for squid:
        Maximum number of file descriptors:   4096
        Largest file desc currently in use:    945
        Number of file desc currently in use:  926
        Files queued for open:                   0
        Available number of file descriptors: 3170
        Reserved number of file descriptors:   100
        Store Disk files open:                   0

Further Reading

  • MRTG - Get nice graphs out of your SNMP data
Retrieved from "https://q-old.deltaquadrant.org/index.php?title=Squid&oldid=3658"