Hello Dzac, Hello List, That's a question i was asked about pretty often... so I post it also to this list... Am Dienstag, 4. November 2003 18:45 schrieb Dzac:

Hello,

I was wondering if you can send me your squid.conf file for the squid_ldap_auth configruation. I need it urgently to setup with the collaboration server here in my office.

Your help is much appreciate.

thanx,

Dzac. I must look for the config only for ldap-auth, We skipped ldap-auth, because there was apparently no easy possibility for single-sign-on to ADS. This config is for: squid doing auth against an ADS Server and permits access only to users belonging to group www_users in ADS, who have successfully auth-ed. furthermore it runs in two instances (sorry - correct english?) and uses dansguardian for contentfiltering and sarg for logfile analysis via webmin. I would apreciate any constructive feedback, which helps to make it more secure! prerequisites (which work in my case, ;-) may be not up to date) suse 8.1 + all possible development tools ;-) - don't forget to deinstall them afterwards ! squid-2.5-stable 1,2,3 - work all, don't know about beta 3.0 - [self-compiled, because of a lack of a rpm with appropriate support for needed auth modules.] samba > 2.2.7 - prefer 2.2.8 or newer, it's safer! You need winbind! dansguardian 2.6.1-3

---------------squid.conf------------------------------ logfile_rotate 7 hierarchy_stoplist cgi-bin ? #X.X.X.X. must be ip of your box! http_port X.X.X.X:8080 http_port 127.0.0.1:3128 cache_peer 127.0.0.1 parent 8081 0 no-query no-digest no-netdb-exchange\ default visible_hostname XXXXX acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 563 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl CONNECT method CONNECT http_access allow localhost http_access allow manager localhost http_access deny manager http_access deny !Safe_ports auth_param ntlm program /usr/sbin/wb_ntlmauth auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes acl masosoft url_regex -i "/etc/squid/badlist" http_access deny CONNECT !SSL_ports acl erlaubt url_regex -i "/etc/squid/goodlist" http_access deny masosoft acl unwanted_files urlpath_regex -i \.eml$ \.exe$ \.vbs$ \.vb$ # Auth with perl skript wbinfo_group.pl acl test proxy_auth REQUIRED external_acl_type wb_group %LOGIN /usr/sbin/wbinfo_group.pl acl aclname external wb_group WWW_USERS http_access allow erlaubt http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny unerwünschte_dateien http_access deny CONNECT !SSL_ports http_access allow aclname http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/squid/cache #error_directory /usr/local/squid/share/errors/German cache_mgr squid cache_effective_user squid cache_effective_group users -- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net