[squid-users] Any suggestions or comments about my configuration? squid 3.5.20

Service MV service.mv at gmail.com
Wed Sep 19 20:52:54 UTC 2018 

Dear Ones, the more I use Squid the more I realize how powerful it is.
And like all powerful software it can be complex at first.
I would like to share my settings and if possible listen (read actually)
your comments and suggestions.
My goals of using squid:
- Transparent authentication of my AD users (2012R2)
- Internet access rules based on users belonging to AD groups.
- Non-authenticated clients (Win PCs) cannot navigate through the proxy.
- That the clients (Win PCs) not belonging to an AD group allowed in squid,
cannot navigate through the proxy.

My test scenario:
- A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC.
- My VM is attached to my domain W2012R2 (following this post
https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/)
to achieve kerberos authentication transparent to the user. SElinux
disabled. Owner permissions to user squid in all folders/files involved.
- squid 3.5.20 installed and working great with kerberos, NTLM and basic
authentication.

squid.conf
### negotiate kerberos & ntlm authentication
auth_param negotiate program /usr/sbin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos
/usr/lib64/squid/negotiate_kerberos_auth -r -i -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive on

### standard allowed ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

### destination domains to be blocked in a HTTP access control
acl LS_malicius dstdomain -i "/etc/squid/DBL/malicius/malicius.txt"
acl LS_remotecontrol dstdomain -i
"/etc/squid/DBL/remotecontrol/remotecontrol.txt"

### LDAP group membership sources
# WEB_ACCESS_1
external_acl_type AD_WEB_ACCESS_1 %LOGIN
/usr/lib64/squid/ext_ldap_group_acl -P -R -b OU=USERS,DC=netgol,DC=local -D
ldap -W "/etc/squid/ldap_pass.txt" -f
(&(sAMAccountName=%u)(memberOf=cn=WEB_ACCESS_1,OU=INTERNET,OU=PERMISOS,OU=NETGOL,DC=netgol,DC=local))
-h s-dc1.netgol.local -p 3268
acl WEB_ACCESS_1 external AD_WEB_ACCESS_1 web-access-1

# WEB_ACCESS_2
external_acl_type AD_WEB_ACCESS_2 %LOGIN
/usr/lib64/squid/ext_ldap_group_acl -P -R -b OU=USERS,DC=netgol,DC=local -D
ldap -W "/etc/squid/ldap_pass.txt" -f
(&(sAMAccountName=%u)(memberOf=cn=WEB_ACCESS_2,OU=INTERNET,OU=PERMISOS,OU=NETGOL,DC=netgol,DC=local))
-h s-dc1.netgol.local -p 3268
acl WEB_ACCESS_2 external AD_WEB_ACCESS_2 web-access-2

# WEB_ACCESS_3
external_acl_type AD_WEB_ACCESS_3 %LOGIN
/usr/lib64/squid/ext_ldap_group_acl -P -R -b OU=USERS,DC=netgol,DC=local -D
ldap -W "/etc/squid/ldap_pass.txt" -f
(&(sAMAccountName=%u)(memberOf=cn=WEB_ACCESS_3,OU=INTERNET,OU=PERMISOS,OU=NETGOL,DC=netgol,DC=local))
-h s-dc1.netgol.local -p 3268
acl WEB_ACCESS_3 external AD_WEB_ACCESS_3 web-access-3

### HTTP access control policies
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny WEB_ACCESS_1 LS_malicius
http_access deny WEB_ACCESS_2 LS_malicius
http_access deny WEB_ACCESS_3 LS_malicius
http_access deny WEB_ACCESS_1 LS_remotecontrol
http_access deny WEB_ACCESS_2 LS_remotecontrol
http_access allow WEB_ACCESS_1
http_access allow WEB_ACCESS_2
http_access allow WEB_ACCESS_3
http_access allow localhost
http_access deny all

### personalization ###
http_port 8080
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .  0 20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
read_timeout 5 minutes
request_timeout 3 minutes
half_closed_clients off
shutdown_lifetime 15 seconds
log_icp_queries off
dns_v4_first on
ipcache_size 2048
ipcache_low 90
fqdncache_size 4096
forwarded_for off
cache_mgr system at netgol.net
visible_hostname proxy.netgol.local
httpd_suppress_version_string on
uri_whitespace strip
logfile_rotate 7
debug_options rotate=7


Any suggestion or comment will be very useful to me and I thank you in
advance.
Best regards

Gabriel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180919/0632f004/attachment.html>

More information about the squid-users mailing list