Re: [squid-users] Squid + Webmarshal

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 29 Jul 2009 20:36:24 +1200

Harley Jackson Willmott wrote:
> 2009/7/29 Amos Jeffries <squid3_at_treenet.co.nz>:
>> Harley Jackson Willmott wrote:
>>> 2009/7/28 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>> Harley Jackson Willmott wrote:
>>>>> 2009/7/27 Amos Jeffries <squid3_at_treenet.co.nz>:
>>>>>> On Mon, 27 Jul 2009 13:50:24 +1000, Harley Jackson Willmott
>>>>>> <open.harley_at_gmail.com> wrote:
>>>>>>> Hey all.
>>>>>>>
>>>>>>> I've done lots of searching and haven't been able to find examples of
>>>>>>> this particular scenario so I'm putting it to you guys for help.
>>>>>>>
>>>>>>> Basically, my boss has me setting up a Squid server for our company's
>>>>>>> primarily Microsoft-based network (We use Active Directory). We've
>>>>>>> already got a proxy server set up running Webmarshal. Webmarshal takes
>>>>>>> care of all the filtering stuff based on Active Directory membership.
>>>>>>>
>>>>>>> I'm implementing a Squid server to both cache (obviously) and to
>>>>>>> throttle certain users using delay pools.
>>>>>>>
>>>>>>> The original plan was to have Squid in front of Webmarshal, which
>>>>>>> means Squid needs to be able to pass the AD credentials to Webmarshal.
>>>>>>> The server itself is running Ubuntu 9.04 Server with
>>>>>>> Squid-3.0.STABLE16 compiled with buckets enabled and is joined to our
>>>>>>> AD domain through Likewise-Open. I'd like to create ACLs based on
>>>>>>> user/group membership in AD, but IPs are fine if that isn't possible.
>>>>>>> The main thing is that I -need- the credentials passed to Webmarshal
>>>>>>> so that the user isn't prompted to enter their username and password
>>>>>>> into their browser (this is how it acts prior to pointing it to
>>>>>>> Squid).
>>>>>>>
>>>>>>> Is this possible with my version of Squid? I've been trying to follow
>>>>>>> examples and documentation on the web, but frequently run into
>>>>>>> conflicting and/or outdated information. If so, can someone help me
>>>>>>> out with an example or something? If not, should I just be putting
>>>>>>> Squid behind Webmarshal?
>>>>>> Behind would be the quickest fix.
>>>>>>
>>>>>> Or you could go the whole way and configure Squid AD authentication
>>>>>> with
>>>>>> groups access control to completely replace WebMarshall. Squid bundles
>>>>>> a
>>>>>> few external ACL helpers that check group access. The rest is up to how
>>>>>> you
>>>>>> set what access controls.
>>>>>>
>>>>>> Amos
>>>>>>
>>>>>>
>>>>> Thanks, Amos, I mulled it over a bit and talked to the boss and we've
>>>>> put Squid in front of Webmarshal
>>>>>
>>>>> I got Squid up and running but was getting a massive headache trying
>>>>> to make it pass credentials to Webmarshal. The problem was revealed to
>>>>> me by another thread on this mailing list that mentioned this would
>>>>> only work in 2.7 and 3.1, whereas I've been using 3.0. I compiled 2.7
>>>>> and it passes credentials to Webmarshal fine now! Delay pools are
>>>>> working great too (it's funny being happy about seeing the internet
>>>>> moving slowly)
>>>>> However, I'm faced with another problem. I still need to set up ACLs
>>>>> in Squid that are based on Active Directory groups. The box is in our
>>>>> domain with Samba and Winbind and wbinfo, wbinfo_group.pl and
>>>>> ntlm_auth all work flawlessly.
>>>>> Unfortunately, after I add the lines for ntlm authentication, my
>>>>> browser (even IE) prompts me for username and password a few times and
>>>>> then sends me to a Cache Access Denied page. My access.log also does
>>>>> not show any usernames/groups.
>>>>>
>>>>> I've played around with the lines a bit but here is how they stand at
>>>>> the moment:
>>>>>
>>>>> auth_param ntlm program /usr/bin/ntlm_auth
>>>>> --helper-protocol=squid-2.5-ntlmssp
>>>>> auth_param ntlm children 30
>>>>> auth_param ntlm keep_alive on
>>>>>
>>>>> auth_param basic program /usr/bin/ntlm_auth
>>>>> --helper-protocol=squid-2.5-basic
>>>>> auth_param basic children 5
>>>>> auth_param basic realm mushmusic
>>>>> auth_param basic credentialsttl 2 hours
>>>>> auth_param basic casesensitive off
>>>>>
>>>>> acl authedusers proxy_auth REQUIRED
>>>>> http_access allow authedusers
>>>>>
>>>>> Any advice?
>>>>> Cheers :)
>>>> You also need persistent connections enabled, and connection-auth= flags
>>>> on
>>>> any cache_peer lines.
>>>>
>>>> http://www.squid-cache.org/Versions/v2/2.7/cfgman/
>>>> See these settings:
>>>> * client_persistent_connections
>>>> * server_persistent_connections
>>>> * persistent_connection_after_error
>>>> * detect_broken_pconn
>>>>
>>>>
>>>> Amos
>>>> --
>>>> Please be using
>>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17
>>>> Current Beta Squid 3.1.0.12
>>>>
>>> Thanks again! I managed to get ntlm_auth working, with ACLs based on
>>> the user's AD groups to decide different bucket sizes and speeds
>>> without the browser prompting.
>>> I had disabled the passing of credentials to Webmarshal beforehand to
>>> isolate what I was working on and now that I've gotten ntlm_auth
>>> working, I re-enabled it. Unfortunately, I am prompted for credentials
>>> again. This time, however, entering the credentials seem to work (as
>>> opposed to just prompting me over and over again before).
>>>
>>> If I'm _only_ passing credentials or _only_ authenticating for Squid,
>>> then everything works swimmingly. However, having both at once causes
>>> it to prompt the user at the browser. Can I only have one or the other
>>> or is there a solution that allows Squid to authenticate as well as
>>> pass creds to Webmarshal?
>>>
>>> Cheers
>>> Harley
>> At a guess I'd say the Webmarshal is not finding the NTLM token passed back
>> enough and kicking off its own challenge sequence.
>>
>> Maybe the all-hack will work here....
>>
>> Setting "all" ACL as the last on each authentication line causes Squid to
>> not send the auth chellenge. This breaks any deny lines, but if the auth is
>> only on "allow" stuff it can work.
>>
>> NP: You will also have to create a category for non-authenticated requests.
>> Which are prior to the Webmarshal challenge but MUST still go through to get
>> the auth challenge happening.
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17
>> Current Beta Squid 3.1.0.12
>>
>
> I have to admit I'm a little confused. Still very new to Squid and I'm
> not entirely sure what you mean :P Particularly the category part and
> what goes where.

Sorry, I thought you were making different levels of delay pools for
different groups. What I said is irrelevant under the config you showed

>
> This is how my current config stands, if that helps:
>
> ---
> access_log /opt/squid/var/logs/access.log squid
>
> http_port 3128
> client_persistent_connections on
> server_persistent_connections on
> persistent_connection_after_error on
> detect_broken_pconn on
> icp_port 3130
>
> visible_hostname tmg04
>
> acl CONNECT method CONNECT
> acl all src 0/0

Use: acl all src all
I'm not sure right now what Squid-2 does with "0/0", but in early
Squid-3 the result was not sane.

>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp all
> auth_param ntlm children 30 all
> auth_param ntlm keep_alive on all
>
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic all
> auth_param basic children 5 all
> auth_param basic realm mushmusic all
> auth_param basic credentialsttl 2 hours all
> auth_param basic casesensitive off all

Um no. Sorry I was a bit tired earlier and wasn't clear. Should have
added "http_access" to me statement somehow.

Remove the 'all's from the above. :)

>
> external_acl_type ad_group %LOGIN /opt/squid/libexec/wbinfo_group.pl
> acl girly external ad_group girl
> http_access allow girly

I mean making the above:
   http_access allow girly all

> http_access allow all

That will let the whole Internet use the proxy if they can find a route
there. Best to define what ranges are acceptable and:
   http_access allow localnet
   http_access deny all

>
> cache_effective_user squid
>
> delay_pools 1
> delay_class 1 2
> delay_parameters 1 8000/128000 8000/128000

By itself these pool everybody based on IP.

>
> cache_peer 192.168.5.11 parent 8085 0 no-query default login=PASS
> never_direct allow all
> ---
>
> There's obvious stuff not in to do with caching, etc, but I'm worrying
> about that later as it's trivial (IMO) compared to getting it working
> with Microsoft's crazy old systems.
>
> Harley

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE17
   Current Beta Squid 3.1.0.12
Received on Wed Jul 29 2009 - 08:36:39 MDT

This archive was generated by hypermail 2.2.0 : Wed Jul 29 2009 - 12:00:05 MDT