[squid-users] squid with ldp authentication and with squidguard based on ldp group

Ahmed Allzaeem ahmed.zaeem at netstream.ps
Sun Dec 21 18:47:18 UTC 2014 

The problem is that squidguard is not filtering anything!!!

 

The ldp work for suthentication , I mean I can login from users in the DC ,
but all users has full permsions !!

 

I created group called "level2" and gave it to some users , but that users
still has full permission and not being filtered from anything !!

This is os is pfsense on freebsd

 

 

I will post config below :

===========================

 

Here is config

# This file is automatically generated by pfSense

# Do not edit manually !

http_port 10.0.0.1:3128

icp_port 7

dns_v4_first off

pid_filename /var/run/squid.pid

cache_effective_user proxy

cache_effective_group proxy

error_default_language en

icon_directory /usr/pbi/squid-i386/etc/squid/icons

visible_hostname pfsense

cache_mgr admin at localhost

access_log /var/squid/logs/access.log

cache_log /var/squid/logs/cache.log

cache_store_log none

sslcrtd_children 0

logfile_rotate 0

shutdown_lifetime 3 seconds

# Allow local network(s) on interface(s)

acl localnet src  10.0.0.0/24

forwarded_for off

uri_whitespace strip

 

acl dynamic urlpath_regex cgi-bin ?

cache deny dynamic

cache_mem 8 MB

maximum_object_size_in_memory 32 KB

memory_replacement_policy heap GDSF

cache_replacement_policy heap LFUDA

 

minimum_object_size 0 KB

maximum_object_size 10 KB

offline_mode off

# No redirector configured

 

 

#Remote proxies

 

 

# Setup some default acls

acl allsrc src all

acl localhost src 127.0.0.1/32

acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128
1025-65535 

acl sslports port 443 563  

acl manager proto cache_object

acl purge method PURGE

acl connect method CONNECT

 

# Define protocols used for redirects

acl HTTP proto HTTP

acl HTTPS proto HTTPS

 

http_access allow manager localhost

  

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !safeports

http_access deny CONNECT !sslports

 

# Always allow localhost connections

http_access allow localhost

 

request_body_max_size 0 KB

delay_pools 1

delay_class 1 2

delay_parameters 1 -1/-1 -1/-1

delay_initial_bucket_level 100

delay_access 1 allow allsrc

 

# Reverse Proxy settings

 

 

# Package Integration

auth_param basic program /usr/pbi/squid-i386/libexec/squid/squid_ldap_auth
-P -R -b 'dc=smart,dc=ps' -D 'cn=administrator,cn=Users,dc=smart,dc=ps' -w
'admin at 123' -f sAMAccountName=%s -h 192.168.1.242

auth_param basic children 100

auth_param basic realm heyyyyy

auth_param basic credentialsttl 1 hour

acl password proxy_auth REQUIRED

redirect_program /usr/pbi/squidguard-i386/bin/squidGuard -c
/usr/pbi/squidguard-i386/etc/squidGuard/squidGuard.conf

redirector_bypass off

url_rewrite_children 5

 

# Custom options

http_access allow password

 

# Setup allowed acls

# Allow local network(s) on interface(s)

http_access allow localnet

# Default block all to be sure

http_access deny allsrc

 

 

 

 

# ============================================================

# SquidGuard configuration file

# This file generated automaticly with SquidGuard configurator

# (C)2006 Serg Dvoriancev

# email: dv_serg at mail.ru

# ============================================================

 

logdir /var/squidGuard/log

dbhome /var/db/squidGuard

ldapbinddn cn=administrator,cn=Users,dc=smart,dc=ps

ldapbindpass admin at 123

ldapprotover 2

stripntdomain true

 

# 

src zozo {

                ldapusersearch
ldap://192.168.1.242/DC=smart,DC=ps?sAMAccountName?sub?(&(sAMAccountName=%s)
(memberOf=CN=level2%2cCN=Users%2cDC=smart%2cDC=ps))

                log block.log

}

 

 

# 

rew safesearch {

                s@(google..*/search?.*q=.*)@&safe=active at i

                s@(google..*/images.*q=.*)@&safe=active at i

                s@(google..*/groups.*q=.*)@&safe=active at i

                s@(google..*/news.*q=.*)@&safe=active at i

                s@(yandex..*/yandsearch?.*text=.*)@&fyandex=1 at i

                s@(search.yahoo..*/search.*p=.*)@&vm=r&v=1 at i

                s@(search.live..*/.*q=.*)@&adlt=strict at i

                s@(search.msn..*/.*q=.*)@&adlt=strict at i

                s@(.bing..*/.*q=.*)@&adlt=strict at i

                log block.log

}

 

# 

acl  {

                # 

                zozo  {

                                pass !in-addr !blk_BL_adv !blk_BL_aggressive
!blk_BL_alcohol !blk_BL_anonvpn !blk_BL_automobile_bikes
!blk_BL_automobile_boats !blk_BL_automobile_cars !blk_BL_downloads
!blk_BL_movies !blk_BL_porn !blk_BL_sex_education !blk_BL_sex_lingerie none

                                redirect
http://10.0.0.1:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

                                log block.log

                }

                # 

                default  {

                                pass !blk_BL_porn !blk_BL_searchengines
!blk_BL_sex_education !blk_BL_sex_lingerie !blk_BL_shopping none

                                redirect
http://10.0.0.1:80/sgerror.php?url=403%20KKKK&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u

                                rewrite safesearch

                                log block.log

                }

}

 

 

 

 

 

Any idea why suqidguard is not blocking anything ??? 

 

cheers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141221/dd9fe918/attachment-0001.html>

More information about the squid-users mailing list