<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><div>Thank you Amos as always.</div><div>My current configuration has not changed much, it is as follows:</div></div><div><br></div><div>visible_hostname s-px4.mydomain.local</div><div>http_port 3128</div><div>error_directory /opt/squid-503/share/errors/es-ar</div><div>forwarded_for transparent</div><div>shutdown_lifetime 0 seconds</div><div>quick_abort_min 0 KB</div><div>quick_abort_max 0 KB</div><div>quick_abort_pct 100</div><div>read_timeout 5 minutes</div><div>request_timeout 3 minutes</div><div>cache_mem 1024 MB</div><div>maximum_object_size_in_memory 4 MB</div><div>memory_cache_mode always</div><div>ipcache_size 2048</div><div>fqdncache_size 4096</div><div>cache_mgr support@mydomain.local</div><div>httpd_suppress_version_string on</div><div>coredump_dir /opt/squid-503/var/cache/squid</div><div><br></div><div>auth_param negotiate program /opt/squid-503/libexec/negotiate_kerberos_auth -i -r -s GSS_C_NO_NAME</div><div>auth_param negotiate children 300 startup=150 idle=10</div><div>auth_param negotiate keep_alive on</div><div><br></div><div>auth_param basic program /opt/squid-503/libexec/basic_ldap_auth -P -R -b "dc=mydomain,dc=local" -D "cn=ldap,cn=Users,dc=mydomain,dc=local" -W /opt/squid-503/etc/ldappass.txt -f sAMAccountName=%s -h s-dc00.mydomain.local</div><div>auth_param basic children 30</div><div>auth_param basic realm Proxy Authentication</div><div>auth_param basic credentialsttl 4 hour</div><div><br></div><div>external_acl_type NO_INTERNET_USERS ttl=3600 negative_ttl=3600 %LOGIN /opt/squid-503/libexec/ext_kerberos_ldap_group_acl -g INTERNET_OFF -i -D MYDOMAIN.LOCAL</div><div>acl NO_INTERNET external NO_INTERNET_USERS</div><div><br></div><div>acl SSL_ports port 443</div><div>acl SSL_ports port 8543 # LiveU Central</div><div>acl Safe_ports port 80 # http</div><div>acl Safe_ports port 21 # ftp</div><div>acl Safe_ports port 443 # https</div><div>acl Safe_ports port 70 # gopher</div><div>acl Safe_ports port 210 # wais</div><div>acl Safe_ports port 280 # http-mgmt</div><div>acl Safe_ports port 488 # gss-http</div><div>acl Safe_ports port 591 # filemaker</div><div>acl Safe_ports port 777 # multiling http</div><div>acl Safe_ports port 81 # coto "yo te conozco" donkey ports</div><div>acl Safe_ports port 623 # coto "yo te conozco" donkey ports</div><div>acl Safe_ports port 8543 # LiveU Central management</div><div>acl Safe_ports port 18255 # LiveU Central files download</div><div>acl Safe_ports port 33080 # ddjj</div><div>acl Safe_ports port 9090 # asociart</div><div>acl Safe_ports port 8713 # handball results</div><div>acl Safe_ports port 8080 # <a href="http://cponline.org.ar">cponline.org.ar</a></div><div><br></div><div><br></div><div># Lists of domains and IPs</div><div>acl LS_winupddom dstdomain "/opt/squid-503/acl/winupddom.txt"</div><div>acl LS_whitedomains dstdomain "/opt/squid-503/acl/whitedomains.txt"</div><div>acl LS_blackdomains dstdomain "/opt/squid-503/acl/blackdomains.txt"</div><div>acl LS_porn dstdomain "/opt/squid-503/acl/porn.txt"</div><div>acl DOM_Malware dstdomain "/opt/squid-503/acl/DOM_Malware.txt"</div><div>acl IP_Malware dst -n "/opt/squid-503/acl/IP_Malware.txt"</div><div>acl LS_webex dstdomain "/opt/squid-503/acl/webex.txt"</div><div><br></div><div># Access lists</div><div>acl http proto http</div><div>acl port_80 port 80</div><div>acl port_443 port 443</div><div>acl port_9000 port 9000</div><div>acl port_5061 port 5061</div><div>acl port_5065 port 5065</div><div>acl CONNECT method CONNECT</div><div><br></div><div># Denied internet to member users of INTERNET_OFF group </div><div>http_access deny NO_INTERNET all</div><div><br></div><div># Allow webex without authentication</div><div>http_access allow http port_80 LS_webex</div><div>http_access allow CONNECT port_443 LS_webex</div><div>http_access allow port_9000 LS_webex</div><div>http_access allow port_5061 LS_webex</div><div>http_access allow port_5065 LS_webex</div><div><br></div><div>http_access deny LS_blackdomains</div><div>http_access deny LS_porn</div><div>http_access deny DOM_Malware</div><div>http_access deny IP_Malware</div><div><br></div><div># default SQUID rules</div><div>http_access deny !Safe_ports</div><div>http_access deny CONNECT !SSL_ports</div><div>http_access allow localhost manager</div><div>http_access deny manager</div><div>http_access deny to_localhost</div><div>http_access allow localhost</div><div><br></div><div># Apply 20Mbit/s QoS to members of Active Directory Authenticated Users group</div><div>acl Domain_Users note group AQUAAAAAAAUVAAAA7TIfbORUj8PLQv4YAQIAAA==</div><div>delay_pools 1</div><div>delay_class 1 1</div><div>delay_parameters 1 2500000/2500000</div><div>delay_access 1 allow Domain_Users</div><div><br></div><div># Allow authenticated users to use internet and deny to all others</div><div>acl authenticated proxy_auth REQUIRED</div><div>http_access allow authenticated</div><div>http_access deny all</div><div><br></div><div><br></div><div><div>Thank you very much in advance for your valuable help.</div><div>Best regards</div><div>Gabriel</div></div><div><br></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">El mar., 29 de sep. de 2020 a la(s) 07:46, Amos Jeffries (<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>) escribió:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 29/09/20 3:55 am, Service MV wrote:<br>
> In my case I have the domains, for example from webex, which I get from<br>
> their official support page. It seems that I am doing something wrong or<br>
> I am not understanding well.<br>
> I base on this documentation<br>
> <a href="https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass</a><br>
> <br>
> The error I get is 407. I understand I should not request authentication<br>
> to those domains with the configuration I have, but apparently it does.<br>
> <br>
<br>
In the (possibly outdated now) config you showed earlier the<br>
"NO_INTERNET" ACL might produce a 407 if credentials are completely<br>
missing, but not re-auth if they are invalid.<br>
If you wish to have a free audit please post your current squid.conf<br>
rules and I will comment on useful changes.<br>
<br>
<br>
> Below I have a bandwidth control configuration with acl note, I don't<br>
> know if that will be triggering the webex client authentication request.<br>
> Maybe someone with more experience can tell me.<br>
<br>
"note" ACL will match if the data is available but not trigger<br>
authentication sequences. That is what makes it so useful for fast-group<br>
access checking logins.<br>
<br>
<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>