Re: [squid-users] squid + dansguardian + auth

From: Jose Ildefonso Camargo Tolosa <ildefonso.camargo_at_gmail.com>
Date: Fri, 5 Mar 2010 00:01:13 -0430

Hi!

On Mon, Mar 1, 2010 at 4:52 AM, Bruno Santos <bvsantos_at_hal.min-saude.pt> wrote:
> Hi !
>
> Thanks for the reply.
>
> No! I've managed to sort it out.
>
> I've downloaded the source rpm for squid 3.1.0.16, of Fedora Core 14, and build an RPM from it. Installed, along with dansguardian 2.10.1.1, compiled from source with this options:
> --enable-email --with-proxygroup=squid --with-proxyuser=squid --with-logdir=/var/log/ --enable-pcre (without the --original-ip: i guess this one only matters if squid is going to be transparent)
>
> Next, i've enabled the following options in squid.conf (along with others, but i think this ones are the important here):
>
> acl_uses_indirect_client on
>
> follow_x_forwarded_for allow localhost

Exactly.

>
>
> In dansguardian, i guess the important ones are:
>
> forwardedfor = on

Yes, you need this one.

> usexforwardedfor = on

No... not this one.... from dansguardian.conf:

# if on it uses the X-Forwarded-For: <clientip> to determine the client
# IP. This is for when you have squid between the clients and DansGuardian.
# Warning - headers are easily spoofed. on | off
usexforwardedfor = off

So, leave this one off, or somebody could cheat IP-based ACL by
spoofing the headers (it is not so hard to do).

>
>
> After this, everything went ok and i have now dansguardian with squid and LDAP authentication!

And the authplugin thing is also important, I don't remember why, it
actually works without it... I believe it had something to do with the
logs.

>
> Cheers,
>
> Bruno Santos
>
> ----- Original Message -----
> From: "Jose Ildefonso Camargo Tolosa" <ildefonso.camargo_at_gmail.com>
> To: "Bruno Santos" <bvsantos_at_hal.min-saude.pt>
> Sent: Saturday, February 27, 2010 12:11:24 AM GMT +00:00 GMT Britain, Ireland, Portugal
> Subject: Re: [squid-users] squid + dansguardian + auth
>
> Hi!
>
> Sorry about the delay, do you still have the problem?
>
> Ildefonso
>
> On Wed, Feb 17, 2010 at 5:19 AM, Bruno Santos <bvsantos_at_hal.min-saude.pt> wrote:
>> X-Copyrighted-Material
>>
>> Hi !
>>
>> No, i don't have those enabled. I'm using LDAP auth in squid (although i've enabled proxy-digest.conf in dansguardian)
>>
>> The problem here is the following:
>>
>> When the request reaches dansguardian, the machine IP who made the request is correct.
>> When dansguardian passes the request to squid, it goes with the local machine IP (127.0.0.1) and squid denies the request....
>> I've been messing around with the following dansguardian options:
>> forwardedfor, usexforwardedfor and originalip
>>
>> Any hints ?
>>
>> I have another squid + dansguardian installation with transparent proxy and everything is working just fine...
>>
>> Cheers,
>>
>> Bruno Santos
>>
>>
>> ----- Mensagem original -----
>> De: "Jose Ildefonso Camargo Tolosa" <ildefonso.camargo_at_gmail.com>
>> Para: "squid-users" <squid-users_at_squid-cache.org>
>> Enviadas: Segunda-feira, 15 de Fevereiro de 2010 17:45:35 GMT +00:00 Hora de Greenwich, Irlanda, Portugal
>> Assunto: Re: [squid-users] squid + dansguardian + auth
>>
>> Hi!
>>
>> I really don't understand why are you, people, so insistent on the
>> "x-forwarded-for" thing..... it has nothing to do with authentication,
>> unless you use IP as part of your ACLs, off course.
>>
>> Now, I repeat:
>>
>> authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'
>> authplugin = '/etc/dansguardian/authplugins/proxy-digest.conf'
>> authplugin = '/etc/dansguardian/authplugins/proxy-ntlm.conf'
>>
>> That's and excerpt from the dansguardian.conf file.  Do you have these enabled?
>>
>> I hope this helps,
>>
>> Ildefonso Camargo
>>
>> On Mon, Feb 15, 2010 at 5:47 AM, Bruno Santos <bvsantos_at_hal.min-saude.pt> wrote:
>>> X-Copyrighted-Material
>>>
>>> Hi !
>>>
>>> Yes, i was careful to check in the SPEC file to see if there was such option and it is present:
>>> --enable-follow-x-forwarded-for
>>>
>>> The problem i guess is when dansguardian forwards the IP to squid, instead of giving the orinal IP, it goes with the local IP.
>>> But, with other options enabled, i get an html response - 400 bad request..
>>
>> --
>>
>>        Use OpenSource Software
>> Human knowledge belongs to the world
>>        Bruno Santos
>> bvsantos_at_hal.min-saude.pt
>> Tel: +351 962 753 053
>>        Divisão de Informática
>> informatica_at_hal.min-saude.pt
>> Tel: +351 272 000 155
>> Fax: +351 272 000 257
>>        Unidade Local de Saúde de Castelo Branco, E.P.E.
>> geral_at_hal.min-saude.pt
>> Tel: +351 272 000 272
>> Fax: +351 272 000 257
>>
>> Linux registered user #349448
>>
>> LPIC-1 Certification
>> -------------------------------------------------------------------------------------------
>> Esta mensagem e ficheiros em anexo são confidenciais e destinados somente ao conhecimento e utilização da(s) pessoa(s) ou entidade(s) a quem foram endereçados.
>> Cabe ao destinatário verificar a existência de vírus ou erros, uma vez que a informação contida pode ser interceptada e/ou modificada.
>> Se recebeu este e-mail por engano, ou a eles teve acesso não sendo o destinatário, por favor informe de imediato o seu administrador de sistemas
>> e elimine-o sem o utilizar, divulgar ou reproduzir.
>>
>> Proteja o ambiente. Antes de imprimir este e-mail, verifique se realmente necessita.
>>
>>
>
> --
>
>
>        Use Open Source Software
> Human knowledge belongs to the world
>        Bruno Santos
> bvsantos_at_hal.min-saude.pt
> Tel: +351 962 753 053
>        Divisão de Informática
> informatica_at_hal.min-saude.pt
> Tel: +351 272 000 155
> Fax: +351 272 000 257
>        Unidade Local de Saúde de Castelo Branco, E.P.E.
> geral_at_hal.min-saude.pt
> Tel: +351 272 000 272
> Fax: +351 272 000 257
>
> Linux registered user #349448
>
> LPIC-1 Certification
>
Received on Fri Mar 05 2010 - 04:31:20 MST

This archive was generated by hypermail 2.2.0 : Fri Mar 05 2010 - 12:00:04 MST