Squid: Difference between revisions
Jump to navigation
Jump to search
| Line 31: | Line 31: | ||
*TAG: auth_param | *TAG: auth_param | ||
<pre> | <pre> | ||
# | # The acl helper queries our ADS via Samba | ||
external_acl_type NT_global_group children=10 ttl=900 %LOGIN /usr/libexec/squid/wbinfo_group.pl | external_acl_type NT_global_group children=10 ttl=900 %LOGIN /usr/libexec/squid/wbinfo_group.pl | ||
# | # NTLM authentification | ||
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp | auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp | ||
auth_param ntlm children 5 | auth_param ntlm children 5 | ||
auth_param ntlm keep_alive on | auth_param ntlm keep_alive on | ||
# | # Basic authentification | ||
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic | auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic | ||
auth_param basic children 5 | auth_param basic children 5 | ||
| Line 45: | Line 45: | ||
*TAG: acl | *TAG: acl | ||
<pre> | <pre> | ||
#Recommended minimum configuration: | # Recommended minimum configuration: | ||
acl manager proto cache_object | acl manager proto cache_object | ||
acl localhost src 127.0.0.1/32 | acl localhost src 127.0.0.1/32 | ||
acl to_localhost dst 127.0.0.0/8 | acl to_localhost dst 127.0.0.0/8 | ||
# acl <aclname> <acltype> <definition> | # acl <aclname> <acltype> <definition> | ||
# | # Members of the ADS group WWW | ||
acl ProxyUsers external NT_global_group WWW | acl ProxyUsers external NT_global_group WWW | ||
# | # Need to be authorized | ||
acl AuthorizedUsers proxy_auth REQUIRED | acl AuthorizedUsers proxy_auth REQUIRED | ||
# | # Domains accessible via our intranet | ||
acl local-servers dstdomain .intra .intranet | acl local-servers dstdomain .intra .intranet | ||
# | # IP's accessible via our intranet | ||
acl local-network dst 10.0.0.0/8 | acl local-network dst 10.0.0.0/8 | ||
# | # SNMP access | ||
acl snmppublic snmp_community public | acl snmppublic snmp_community public | ||
# | # Comment out, we don't want access for the whole localnet | ||
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network | #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network | ||
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network | #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network | ||
| Line 83: | Line 83: | ||
*TAG: http_access | *TAG: http_access | ||
<pre> | <pre> | ||
#Recommended minimum configuration: | # Recommended minimum configuration: | ||
# | # | ||
# Only allow cachemgr access from localhost | # Only allow cachemgr access from localhost | ||
| Line 96: | Line 96: | ||
http_access deny CONNECT !SSL_ports | http_access deny CONNECT !SSL_ports | ||
# | # Comment out, we don't want access for the whole localnet | ||
#http_access allow localnet | #http_access allow localnet | ||
# Allow the localhost to have access by default | # Allow the localhost to have access by default | ||
http_access allow localhost | http_access allow localhost | ||
# | # Allow intranet access for unauthorized/all users | ||
http_access allow local-servers | http_access allow local-servers | ||
http_access allow local-network | http_access allow local-network | ||
# | # Allow access for authorized users | ||
http_access allow AuthorizedUsers ProxyUsers | http_access allow AuthorizedUsers ProxyUsers | ||
| Line 112: | Line 112: | ||
*TAG: icp_access | *TAG: icp_access | ||
<pre> | <pre> | ||
# | # Comment out since we don't have a localnet acl anymore | ||
#icp_access allow localnet | #icp_access allow localnet | ||
icp_access deny all | icp_access deny all | ||
| Line 118: | Line 118: | ||
*TAG: htcp_access | *TAG: htcp_access | ||
<pre> | <pre> | ||
# | # Comment out since we don't have a localnet acl anymore | ||
#htcp_access allow localnet | #htcp_access allow localnet | ||
htcp_access deny all | htcp_access deny all | ||
| Line 129: | Line 129: | ||
*TAG: cache_peer | *TAG: cache_peer | ||
<pre> | <pre> | ||
# | # Optional: tell our squid to send everything to our content-filter/firewall gateway | ||
# | # Comment this out if you don't have another proxy infront of Squid | ||
cache_peer fw.yourdomain.local parent 8080 7 no-query no-delay default | cache_peer fw.yourdomain.local parent 8080 7 no-query no-delay default | ||
</pre> | </pre> | ||
| Line 143: | Line 143: | ||
*TAG: refresh_pattern | *TAG: refresh_pattern | ||
<pre> | <pre> | ||
#Suggested default: | # Suggested default: | ||
refresh_pattern ^ftp: 1440 20% 10080 | refresh_pattern ^ftp: 1440 20% 10080 | ||
refresh_pattern ^gopher: 1440 0% 1440 | refresh_pattern ^gopher: 1440 0% 1440 | ||
| Line 155: | Line 155: | ||
*TAG: snmp_port | *TAG: snmp_port | ||
<pre> | <pre> | ||
# | # Make our Squid listen for SNMP queries on port 3401 | ||
snmp_port 3401 | snmp_port 3401 | ||
</pre> | </pre> | ||
*TAG: snmp_access | *TAG: snmp_access | ||
<pre> | <pre> | ||
# | # Allow localhost to query our Squid and deny all others | ||
snmp_access allow snmppublic localhost | snmp_access allow snmppublic localhost | ||
snmp_access deny all | snmp_access deny all | ||
| Line 170: | Line 170: | ||
*TAG: error_directory | *TAG: error_directory | ||
<pre> | <pre> | ||
# | # Localize our error messages | ||
error_directory /usr/share/squid/errors/German | error_directory /usr/share/squid/errors/German | ||
</pre> | </pre> | ||
*TAG: always_direct | *TAG: always_direct | ||
<pre> | <pre> | ||
# | # Tell Squid to bypass our cache_peer for our local servers and networks | ||
always_direct allow local-servers | always_direct allow local-servers | ||
always_direct allow local-network | always_direct allow local-network | ||
| Line 181: | Line 181: | ||
*TAG: never_direct | *TAG: never_direct | ||
<pre> | <pre> | ||
# | # Tell Squid to use our cache_peer for everything else | ||
never_direct allow all | never_direct allow all | ||
</pre> | </pre> | ||
Revision as of 14:44, 22 April 2008
Description
Now that our Samba is connected to our Windows ADS we can start to authentificate our Squid users against Windows ADS Accounts and/or Groups.
Dependencies
USE-Flags
Packages
Installation
# emerge squid
# chown root:squid /var/cache/samba/winbindd_privileged
# chmod 750 /var/cache/samba/winbindd_privileged
Configuration
Finalize
# /etc/init.d/squid start
# rc-update add squid default