Re: [squid-users] Squid for Windows users **Best Practice**

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 18 Jun 2009 02:34:37 +1200

Beavis wrote:
> thanks for the reply amos..
>
> I'm sorry it seems that i have not been clear on how i want to do this.
>
> I'm not planning to put squid on windows, my plan is to get some "best
> practice" from folks that have experience on using squid as a proxy
> for their windows network (with AD and all).

(sorry about the rant)

The official Squid wiki and website I reference below are the only
current / most accurate authoritative sources. They are kept very up to
date with current info as things change.

One of my hobby tasks (and Francesco Chemolli who admins the wiki) is
going through and re-organising the old FAQ and Squid Authoritive Guide
book excerpts into an easier reading format and removing obsolete facts.
If we have incorrect or missing data, please point out for an update.

FWIW: Only Squid 2.7 or higher are supported free by the project
members. 2.6 and older are starting to cost real money as they obsolete.

If you are one of the crowd who recently have started making their own
versions please note all the existing third-party "best practice"
recommendations often quickly change to incorrect and outdated. Thus the
wiki format for our own authoritative sources.

We would rather references to our documents than re-writes, and please,
please specify clearly what versions of Squid your document is talking
about. I for one am tired of fixing new users 'understanding' from
obsolete Squid tutorials.

/rant

>
> I'm looking for some suggestions or common setup's on their squid where.
>
> a.) squid can determine the AD user's group and give them their own
> list of ACL's

The first part of that requirements is:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

Not sure about the "give them their own list of ACL's".
Squid only uses explicit ACLs defined by you in its config.

Some can be sort of dynamic based on custom helpers though:
http://wiki.squid-cache.org/Features/Authentication

The method of configuration can limit certain ACL to only be tested if
the result of another ACL is true. Anything that can be stated as
boolean logic with the ACL types provided.

> b.) redundancy setup's

HTTP is stateless. Auth is not really much different. Redundancy is
built into the back end (AD, LDAP, RADIUS, etc) or the very front end
(PAC,LVS, etc) outside of Squid.

During a failover event either Squid will have the auth result cached
and things "just work". Or squid will deny the lookup until its source
is fixed or changed. Helpers theoretically can do this second, I'm not
sure if they do though.

> c.) recommended "most common" way of authenticating AD users to squid.
> (NTLM, LDAP, ADS)

Not sure if there is a "most common". Every admin has their own
preferences and local site requirements. There are as many methods of
operation as there are software to do the auth and ways to connect to
that software.

The auth methods we get asked about often enough for someone to do a
write-up are listed under Authentication at:
http://wiki.squid-cache.org/Features/Authentication

>
> thanks again,
> -b
>
>
> On Tue, Jun 16, 2009 at 6:54 PM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
>> On Tue, 16 Jun 2009 17:29:33 -0600, Beavis <pfunix_at_gmail.com> wrote:
>>> All,
>>>
>>> I just want to get some views from folks that use squid on a windows
>>> environment. I'm looking at the following scenario.
>>>
>>> a.) running squid that can be use by windows users (auth via ldap, ntlm.
>>> AD)
>>> b.) site access is on a per group basis (squid auth or through
>> squidguard)
>>> c.) Squid Redundancy.
>>>
>> Being a squid linux admin with many users on windows I can say that none of
>> the above require Squid to run on a windows box. Samba + the provided squid
>> helpers handle windows authentications just fine from most non-windows OS.
>>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16
   Current Beta Squid 3.1.0.8
Received on Wed Jun 17 2009 - 14:34:47 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 17 2009 - 12:00:04 MDT