Squid: Difference between revisions

Revision as of 13:03, 22 April 2008

Now that our Samba is connected to our Windows ADS we can start to authentificate our Squid users against Windows ADS Accounts and/or Groups.

# emerge squid

# chown root:squid /var/cache/samba/winbindd_privileged

# chmod 750 /var/cache/samba/winbindd_privileged

# /etc/init.d/squid start

# rc-update add squid default

@@ Line 31: / Line 31: @@
 *TAG: auth_param
 <pre>
-# The ACL helper queries our ADS via Samba
+# the acl helper queries our ADS via Samba
 external_acl_type NT_global_group children=10 ttl=900 %LOGIN /usr/libexec/squid/wbinfo_group.pl
+# ntlm authentification
 auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
 auth_param ntlm children 5
 auth_param ntlm keep_alive on
+# basic authentification
 auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
 auth_param basic children 5
 auth_param basic realm Squid proxy-caching web server
 auth_param basic credentialsttl 2 hours
+</pre>
+*TAG: acl
+<pre>
+# acl <aclname> <acltype> <definition>
+# members of the ADS group WWW
+acl ProxyUsers external NT_global_group WWW
+# need to be authorized
+acl AuthorizedUsers proxy_auth REQUIRED
+# domains accessible via our intranet
+acl local-servers dstdomain .intra .intranet
+# ip's accessible via our intranet
+acl local-network dst 10.0.0.0/8
+# snmp access
+acl snmppublic snmp_community public
+# comment out, we don't want access for the whole localnet
+#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
+#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
+#acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
+</pre>
+*TAG: http_access
+<pre>
+# comment out, we don't want access for the whole localnet
+#http_access allow localnet
 </pre>
 }}