[squid-users] CentOS Linux 7 / squid-3.5.20-2.el7.x86_64 / LDAP / ECAP / squidGuard blacklisting

bjoern wahl bjoern.wahl at hospital-borken.de
Wed Dec 21 10:24:16 UTC 2016


Hello!

Just for those who would like to have a:

Squid with Ldap user auth on an eDirectory with an ecap (watch out ! It
is not i-cap!) virus check and squidGuard for blacklisting.

One think not working for me so far is the redirect to a virus info site
if ecap/clamd did find a virus. By now the user is informed that the
access was "denied" but not why. A thing i do not like with this setup
right now. (still working on this!)

The working squid.conf looks like this:

=================================================================
cache_mgr xxx at mail.de
http_port IPADDRESSOFSERVER:3128
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
auth_param basic program /usr/lib64/squid/basic_ldap_auth -b o=XXXX -h
IPOFEDIRSERVER -D cn=XXX,o=XXX -w PASSWORDOFUSER -f
"(&(objectclass=User)(cn=%s))"
auth_param basic children 5
auth_param basic realm WHATEVER-YOU-LIKE-TO-TELL-THE-USER
auth_param basic credentialsttl 2 hours
ecap_enable on
loadable_modules /usr/local/lib/ecap_clamav_adapter.so
ecap_service clamav_service_req reqmod_precache
uri=ecap://e-cap.org/ecap/services/clamav?mode=REQMOD bypass=off
ecap_service clamav_service_resp respmod_precache
uri=ecap://e-cap.org/ecap/services/clamav?mode=RESPMOD bypass=on
adaptation_access clamav_service_req allow all
adaptation_access clamav_service_resp allow all
acl ediruser proxy_auth REQUIRED
http_access allow ediruser
http_access deny all
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 15
url_rewrite_access allow all
======================================================================================================================

Thanks for all the help!

Björn

Träger: Klinikum Westmünsterland GmbH
Jur. Sitz der Gesellschaft: Am Boltenhof 7, 46325 Borken
Registergericht Coesfeld, HRB Nr. 4184 I Ust.-Id.Nr.: DE123762133
Geschäftsführer: Christoph Bröcker, Ludger Hellmann (Sprecher)
Aufsichtsratsvorsitzender: Jürgen Büngeler

Diese E-Mail enthält vertrauliche oder rechtlich geschützte
Informationen. Wenn Sie nicht der beabsichtigte Empfänger sind,
informieren Sie bitte sofort den Absender und löschen Sie diese E-Mail.
Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
enthaltenen Informationen ist nicht gestattet.





More information about the squid-users mailing list