<font size=2 face="sans-serif">Hello Antony;</font>
<br><font size=2 face="sans-serif">I have double checked the current working
configuration of my squid.conf and it has same settings which I posted
earlier. somehow it is working for us.</font>
<br>
<br><font size=2 face="sans-serif">below is the error from access.log file.</font>
<br>
<br><font size=2 face="sans-serif">1475518342.279 0
10.xx.15.103 TCP_DENIED/407 3589 CONNECT vseries-test.bottomline.com:443
- NONE/- text/html</font>
<br>
<br>
<br><font size=2 face="sans-serif">Thanks & Regards<br>
Nilesh Suresh Gavali<br>
</font><tt><font size=2>------------------------------<br>
<br>
Message: 5<br>
Date: Tue, 4 Oct 2016 11:08:27 +0100<br>
From: Nilesh Gavali <nilesh.gavali@tcs.com><br>
To: squid-users@lists.squid-cache.org<br>
Subject: [squid-users] Squid - AD kerberos auth and Linux Server proxy<br>
access not working<br>
Message-ID:<br>
<OF227B7BEA.03FD80E0-ON80258042.0036FE6D-80258042.0037B4EB@tcs.com><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
All;<br>
<br>
we have Squid proxy configured with Windows SSO with Kerberos which work
<br>
fine for WIndows AD users.<br>
we have new requirement where one Linux application server need to access
<br>
Internet via squid proxy, we allowed Linux host access via ACL but getting
<br>
denied access error.<br>
below is the configuration done to allow Linux Server host IWCCP02.<br>
<br>
###################################<br>
auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s <br>
HTTP/proxy02.cust.in@CUST.IN<br>
auth_param negotiate children 20<br>
auth_param negotiate keep_alive on<br>
<br>
acl ad_auth proxy_auth REQUIRED<br>
<br>
#### AD Group membership ####<br>
<br>
external_acl_type AD_Group ttl=300 negative_ttl=0 %LOGIN <br>
/usr/lib64/squid/squid_ldap_group -P -R -b "DC=CUST, DC=IN" -D
svcproxy -W <br>
/etc/squid/pswd/pswd -f <br>
"(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%a,ou=InternetAccess,ou=Groups,DC=CUST,
<br>
DC=IN))" -h Cust.in -s sub -v 3<br>
#<br>
#<br>
acl USER external AD_Group lgInternetAccess_Users<br>
acl allowedsite dstdomain "/etc/squid/sitelist/dbs_allowed_site"<br>
<br>
acl manager proto cache_object<br>
acl localhost src 127.0.0.1/32 ::1<br>
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1<br>
<br>
# Example rule allowing access from your local networks.<br>
# Adapt to list your (internal) IP networks from where browsing<br>
# should be allowed<br>
<br>
acl IWCCP01 src 10.xx.15.103 # Linux Application server<br>
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network<br>
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network<br>
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network<br>
acl localnet src fc00::/7 # RFC 4193 local private
network range<br>
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) <br>
machines<br>
#<br>
acl SSL_ports port 443<br>
acl Safe_ports port 80 # http<br>
acl Safe_ports port 21 # ftp<br>
acl Safe_ports port 443 # https<br>
acl Safe_ports port 70 # gopher<br>
acl Safe_ports port 210 # wais<br>
acl Safe_ports port 1025-65535 # unregistered ports<br>
acl Safe_ports port 280 # http-mgmt<br>
acl Safe_ports port 488 # gss-http<br>
acl Safe_ports port 591 # filemaker<br>
acl Safe_ports port 777 # multiling http<br>
acl CONNECT method CONNECT<br>
<br>
# Recommended minimum Access Permission configuration:<br>
#<br>
# Only allow cachemgr access from localhost<br>
http_access allow manager localhost<br>
http_access deny manager<br>
<br>
# Deny requests to certain unsafe ports<br>
http_access deny !Safe_ports<br>
<br>
# Deny CONNECT to other than secure SSL ports<br>
http_access deny CONNECT !SSL_ports<br>
<br>
# We strongly recommend the following be uncommented to protect innocent<br>
# web applications running on the proxy server who think the only<br>
# one who can access services on "localhost" is a local user<br>
#http_access deny to_localhost<br>
<br>
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS<br>
#<br>
# Example rule allowing access from your local networks.<br>
# Adapt localnet in the ACL section to list your (internal) IP networks<br>
# from where browsing should be allowed<br>
<br>
<br>
http_access allow IWCCP01 allowedsite<br>
http_access allow USER allowedsite<br>
http_access deny all<br>
http_access allow ad_auth<br>
<br>
# And finally deny all other access to this proxy<br>
http_access deny all<br>
<br>
# Squid normally listens to port 3128<br>
http_port 8080<br>
never_direct allow all<br>
<br>
cache_peer 10.xx.xx.108 parent 8080 0 default<br>
#######################################################################<br>
<br>
<br>
Thanks & Regards<br>
Nilesh Suresh Gavali<br>
=====-----=====-----=====<br>
Notice: The information contained in this e-mail<br>
message and/or attachments to it may contain <br>
confidential or privileged information. If you are <br>
not the intended recipient, any dissemination, use, <br>
review, distribution, printing or copying of the <br>
information contained in this e-mail message <br>
and/or attachments to it are strictly prohibited. If <br>
you have received this communication in error, <br>
please notify us by reply e-mail or telephone and <br>
immediately and permanently delete the message <br>
and any attachments. Thank you<br>
<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <</font></tt><a href="http://lists.squid-cache.org/pipermail/squid-users/attachments/20161004/92d8b1fa/attachment-0001.html"><tt><font size=2>http://lists.squid-cache.org/pipermail/squid-users/attachments/20161004/92d8b1fa/attachment-0001.html</font></tt></a><tt><font size=2>><br>
<br>
------------------------------<br>
<br>
Message: 6<br>
Date: Tue, 4 Oct 2016 12:13:28 +0200<br>
From: Antony Stone <Antony.Stone@squid.open.source.it><br>
To: squid-users@lists.squid-cache.org<br>
Subject: Re: [squid-users] Squid - AD kerberos auth and Linux Server<br>
proxy
access not working<br>
Message-ID: <201610041213.28760.Antony.Stone@squid.open.source.it><br>
Content-Type: Text/Plain; charset="iso-8859-15"<br>
<br>
On Tuesday 04 October 2016 at 12:08:27, Nilesh Gavali wrote:<br>
<br>
> All;<br>
> <br>
> we have Squid proxy configured with Windows SSO with Kerberos which
work<br>
> fine for WIndows AD users.<br>
> we have new requirement where one Linux application server need to
access<br>
> Internet via squid proxy, we allowed Linux host access via ACL but
getting<br>
> denied access error.<br>
<br>
> http_access allow IWCCP01 allowedsite<br>
> http_access allow USER allowedsite<br>
> http_access deny all<br>
> http_access allow ad_auth<br>
<br>
That makes no sense. The last rule can never be triggered. "deny
all" does <br>
exactly what it says.<br>
<br>
However, that doesn't explain your problem, so please show what you get
in <br>
your access log for a request from this Linux machine IWCCP01.<br>
<br>
Thanks,<br>
<br>
Antony.<br>
<br>
-- <br>
"In fact I wanted to be John Cleese and it took me some time to realise
that <br>
the job was already taken."<br>
<br>
- Douglas Adams<br>
<br>
Please reply to the list;<br>
please *don't* CC me.<br>
<br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
squid-users@lists.squid-cache.org<br>
</font></tt><a href="http://lists.squid-cache.org/listinfo/squid-users"><tt><font size=2>http://lists.squid-cache.org/listinfo/squid-users</font></tt></a><tt><font size=2><br>
<br>
<br>
------------------------------<br>
<br>
End of squid-users Digest, Vol 26, Issue 10<br>
*******************************************<br>
</font></tt>