Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
Re: Squid ldap auth
  • From: Markus Feilner <lists@xxxxxxxxxxxxxx>
  • Date: Wed, 5 Nov 2003 17:04:51 +0100
  • Message-id: <200311051323.31755.mfeilner@xxxxxxxxxxxxxx>
Hello Dzac, Hello List,
That's a question i was asked about pretty often...
so I post it also to this list...
Am Dienstag, 4. November 2003 18:45 schrieb Dzac:
> Hello,
>
> I was wondering if you can send me your squid.conf file for the
> squid_ldap_auth configruation. I need it urgently to setup with the
> collaboration server here in my office.
>
> Your help is much appreciate.
>
> thanx,
>
> Dzac.
I must look for the config only for ldap-auth, We skipped ldap-auth,
because there was apparently no easy possibility for single-sign-on to
ADS.
This config is for:
squid doing auth against an ADS Server and permits access only to users
belonging to group www_users in ADS, who have successfully auth-ed.
furthermore it runs in two instances (sorry - correct english?) and uses
dansguardian for contentfiltering and sarg for logfile analysis via
webmin.
I would apreciate any constructive feedback, which helps to make it more
secure!
prerequisites (which work in my case, ;-) may be not up to date)
suse 8.1 + all possible development tools ;-) - don't forget to
deinstall them afterwards !
squid-2.5-stable 1,2,3 - work all, don't know about beta 3.0 -
[self-compiled, because of a lack of a rpm with appropriate support for
needed auth modules.]
samba > 2.2.7 - prefer 2.2.8 or newer, it's safer! You need winbind!
dansguardian 2.6.1-3

---------------squid.conf------------------------------
logfile_rotate 7
hierarchy_stoplist cgi-bin ?
#X.X.X.X. must be ip of your box!
http_port X.X.X.X:8080
http_port 127.0.0.1:3128
cache_peer 127.0.0.1 parent 8081 0 no-query no-digest no-netdb-exchange\
default
visible_hostname XXXXX
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

http_access allow localhost
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
auth_param ntlm program /usr/sbin/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

acl masosoft url_regex -i "/etc/squid/badlist"
http_access deny CONNECT !SSL_ports
acl erlaubt url_regex -i "/etc/squid/goodlist"
http_access deny masosoft
acl unwanted_files urlpath_regex -i \.eml$ \.exe$ \.vbs$ \.vb$

# Auth with perl skript wbinfo_group.pl
acl test proxy_auth REQUIRED
external_acl_type wb_group %LOGIN /usr/sbin/wbinfo_group.pl
acl aclname external wb_group WWW_USERS

http_access allow erlaubt
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny unerwünschte_dateien
http_access deny CONNECT !SSL_ports
http_access allow aclname
http_access deny all

http_reply_access allow all
icp_access allow all
coredump_dir /var/squid/cache

#error_directory /usr/local/squid/share/errors/German

cache_mgr squid
cache_effective_user squid
cache_effective_group users

--
Mit freundlichen Grüßen
Markus Feilner
--
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23 - mobil: +49 170 302 709 2
web: http://feilner-it.net mail: mfeilner@xxxxxxxxxxxxxx


< Previous Next >
This Thread
  • No further messages