Re: [squid-users] NTLM authentication, but not for everyone

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 17 Jul 2008 23:10:08 +1200

Rich West wrote:
> We have a rather disjointed network, primarily due to the way the
> company works. As a result, not every one of our users is currently
> logged in to the Windows domain.
>
> However, we have squid acting as a proxy for everyone's web browsing
> (wpad & etc), and our users don't know the difference. We would like to
> increase the functionality of squid by preventing certain users from
> accessing the web (via the proxy) while allowing everyone else to get
> through. Again, not everyone is logged in to the domain.
>
> My goal is to add NTLM authentication to make it transparent to the end
> user and, essentially, avoid the windows pop-up. The less the users are
> aware of the proxy, the better. :)
>
> I added NTLM authentication (via winbind back to AD), and that works
> great. I can see the user names populated in the output. However, I
> cannot seem to get it to allow traffic through for those users that the
> NTLM authentication fails on.
>
> In other words, I have:
> ---squid.conf snippet---
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
>
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Web Proxy Server
> auth_param basic credentialsttl 24 hours
> ...
> acl all src 0.0.0.0/0.0.0.0
> ...
> # This to never cache
> no_cache deny QUERY

This is a rather old and obsolete hack to prevent bad dynamic pages
(only!) being stored. The proper way to do this is to actually use
refresh_patterns.

  - killing the QUERY acl and the bits that use it.
  - adding "refresh_pattern (/cgi-bin/|\?) 0 0% 0" as the final pattern
before the '.' pattern.

>
> # We don't want to proxy FTP.
> acl FTP proto FTP
> always_direct allow FTP

Um, this read wrong. The fact FTP request got her means its already
being proxied. This config just makes squid proxy the request itself
instead of passing it to a peer closer to the ftp server.

To prevent FTP being proxied. Change the clients browser config to not
ask the proxy for FTP data.

>
> ##
> # Allow WindowsUpdate to work.
> ##
> acl update-micro-dom dstdomain .microsoft.com
> acl update-micro-dom dstdomain .windowsupdate.com
> #

Thanks to M$ and all their variant ways of doing it there is a longer
list now...

watson.microsoft.com
www.msftncsi.com
windowsupdate.microsoft.com
.update.microsoft.com
download.windowsupdate.com
www.download.windowsupdate.com
redir.metaservices.microsoft.com
images.metaservices.microsoft.com
c.microsoft.com
wustat.windows.com
crl.microsoft.com

> http_access allow update-micro-dom
>
> acl NoAccess proxy_auth baduser
> #
> acl AD_Users proxy_auth REQUIRED
> http_access deny NoAccess
> http_access allow AD_Users
>
> http_access allow localhost
> http_access allow all
>
> # And finally deny all other access to this proxy (catch all)

... only it won't catch anything because the 'allow all" directly above
it is the real catch-all.

> http_access deny all
> ---squid.conf snippet---
>
> Once I put the above in place (specifically the proxy_auth lines), the
> logs show hits for those users logged in to the domain (good), but then
> shows a whole mess of denied messages for users not part of the domain
> (bad). It is as if it is ignoring the allow "all" line, and I have the
> feeling I am missing something simple. But of course, I cannot help but
> ask if this is this even possible?

http_access are tested in sequence. The AD_Users ACL forces
authentication details to exist in the request or it blocks with an
'unauthorized' denial message (as you saw).

What you need to do is locate some way to identify the people who are
NOT able to authenticate and should be allowed out. Place the ACL
identifying them above the AD_Users test.

The big issue you need to look at is: WHY do you have and allow
non-authenticated strangers in your network? WHY are they allowed access
to your bandwidth?

The simplest way around this is to setup basic authentication as a
backup to NTLM (configured after NTLM auth config). And give those
people a special type of user/pass for internet access.

Amos

-- 
Please use Squid 2.7.STABLE3 or 3.0.STABLE7
Received on Thu Jul 17 2008 - 11:10:51 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 17 2008 - 12:00:03 MDT