[squid-users] Problem with squid3 authentication
Marcio Demetrio Bacci
marciobacci at gmail.com
Sun Nov 15 18:17:43 UTC 2015
Hi,
My problem is as follows:
The Windows stations in the domain are automatically authenticated on the
proxy, though the Linux stations ask for the password twice, even if the
password is entered correctly the first time.
Does somebody has an idea?
Follow my squid.conf file
### Configuracoes Basicas
http_port 3128
#debug_options ALL,111,2 29,9 84,6
hierarchy_stoplist cgi-bin ?
### Bloqueia o cache de CGI's
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
cache_mem 512 MB
cache_swap_low 80
cache_swap_high 90
maximum_object_size 512 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 4096 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
#Para não bloquear downloads
quick_abort_min -1 KB
#Resolve um problema com conexoes persistentes
detect_broken_pconn on
#Provoca ganho de performace ao usar conexoe pipeline
pipeline_prefetch on
fqdncache_size 1024
### Parametros de atualizacao da memoria cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
### Localizacao dos logs
access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
### define a localizacao do cache de disco, tamanho, qtd de diretorios pai
e subdiretorios
cache_dir aufs /var/spool/squid3 600 16 256
#Controle do arquivo de log
#logfile_rotate 10
#Libera acesso ao site da caixa
acl caixa dstdomain .caixa.gov.br
always_direct allow caixa
cache deny caixa
### Realiza a autenticacao no AD via Winbind
# NTLM
# para quem esta logado em maquinas windows, aproveita a senha do logon
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50
auth_param ntlm keep_alive off
# para clientes nao windows, user/senha tem de ser solicitado
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm "Autenticacao - CMB - Acesso Monitorado"
auth_param basic credentialsttl 2 hours
external_acl_type ad_group ipv4 ttl=600 children-max=35 %LOGIN
/usr/lib/squid3/ext_wbinfo_group_acl
### ACLs
#acl manager proto cache_object
acl localhost src 192.168.100.1/32
#acl to_localhost dst 192.168.100.1/32
acl SSL_ports port 22 443 563 10000 # https, snews
acl Safe_ports port 80 8080 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3001 # imprenssa nacional
acl purge method PURGE
acl CONNECT method CONNECT
### Regras iniciais do Squid
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
#acl manager proto cache_object
acl connect_abertas maxconn 8
# acl ligada a autenticacao
acl grupo_admins external ad_group gg_webadmins
acl grupo_liberado external ad_group gg_webliberados
acl grupo_restrito external ad_group gg_webcontrolados
### Bloqueia extensoes de arquivos
acl extensoes_bloqueadas url_regex -i "/etc/squid3/acls/extensoes-proibidas"
### Liberar alguns sites
acl sites_liberados url_regex -i "/etc/squid3/acls/sites-permitidos"
### Bloqueia sites por URL
acl sites_bloqueados url_regex -i "/etc/squid3/acls/sites-proibidos"
### Realiza o bloqueio por palavras
acl palavras_bloqueadas url_regex -i "/etc/squid3/acls/palavras-proibidas"
### Exige autenticacao
acl autenticados proxy_auth REQUIRED
### Incorpora as regras do SquidGuard ####
#redirect_program /usr/bin/squidGuard
#redirect_children 20
#redirector_bypass on
#libera o grupo internet
http_access allow grupo_admins
#http_access deny extensoes_bloqueadas
http_access allow sites_liberados
http_access deny sites_bloqueados
http_access deny palavras_bloqueadas
##### Libera acesso ao grupo de chefes e professores
http_access allow grupo_liberado
### Liberando midia social e musica no horario do almoco
acl almoco time 11:30-13:30
http_access allow almoco
#bloqueia midia social durante o expediente
acl social_proibido url_regex -i "/etc/squid3/acls/media-social"
http_access deny social_proibido
# Regra para bloqueio de extensoes de radios online / arquivos de streaming:
acl streaming req_mime_type -i "/etc/squid3/acls/mimeaplicativo"
#acl proibir_musica urlpath_regex -i "/etc/squid3/acls/audioextension"
acl proibir_musica url_regex -i "/etc/squid3/acls/audioextension"
http_access deny proibir_musica
http_reply_access deny streaming
### Controle de banda
### So existe um pool (1)
delay_pools 1
### nr do pool (1) e tipo de classe (2): total da banda disponivel e total
de banda por usuario
delay_class 1 2
### aprox 32Mbps para todos e 500Kbps para cada usuario
delay_parameters 1 4194304/4194304 64000/64000
delay_access 1 allow grupo_restrito
http_access allow grupo_restrito
#liberando acesso a todos os usuarios autenticados
http_access allow autenticados
### Rede LAN #####
acl rede_lan src 192.168.100.0/22
### Nega acesso de quem nao esta na rede local
http_access deny !rede_lan
#negando o acesso para todos que nao estiverem nas regras anteriores
http_access deny all
visible_hostname proxy.empresa.com
### Erros em portugues
error_directory /usr/share/squid3/errors/pt-br
#cache_effective_user proxy
coredump_dir /var/spool/squid3
Regards,
Márcio Bacci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151115/4cb70bef/attachment-0001.html>
More information about the squid-users
mailing list