[squid-users] CentOS Linux 7 / squid-3.5.20-2.el7.x86_64 / LDAP / ECAP / squidGuard blacklisting
bjoern wahl
bjoern.wahl at hospital-borken.de
Wed Dec 21 10:24:16 UTC 2016
Hello!
Just for those who would like to have a:
Squid with Ldap user auth on an eDirectory with an ecap (watch out ! It
is not i-cap!) virus check and squidGuard for blacklisting.
One think not working for me so far is the redirect to a virus info site
if ecap/clamd did find a virus. By now the user is informed that the
access was "denied" but not why. A thing i do not like with this setup
right now. (still working on this!)
The working squid.conf looks like this:
=================================================================
cache_mgr xxx at mail.de
http_port IPADDRESSOFSERVER:3128
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
auth_param basic program /usr/lib64/squid/basic_ldap_auth -b o=XXXX -h
IPOFEDIRSERVER -D cn=XXX,o=XXX -w PASSWORDOFUSER -f
"(&(objectclass=User)(cn=%s))"
auth_param basic children 5
auth_param basic realm WHATEVER-YOU-LIKE-TO-TELL-THE-USER
auth_param basic credentialsttl 2 hours
ecap_enable on
loadable_modules /usr/local/lib/ecap_clamav_adapter.so
ecap_service clamav_service_req reqmod_precache
uri=ecap://e-cap.org/ecap/services/clamav?mode=REQMOD bypass=off
ecap_service clamav_service_resp respmod_precache
uri=ecap://e-cap.org/ecap/services/clamav?mode=RESPMOD bypass=on
adaptation_access clamav_service_req allow all
adaptation_access clamav_service_resp allow all
acl ediruser proxy_auth REQUIRED
http_access allow ediruser
http_access deny all
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
url_rewrite_children 15
url_rewrite_access allow all
======================================================================================================================
Thanks for all the help!
Björn
Träger: Klinikum Westmünsterland GmbH
Jur. Sitz der Gesellschaft: Am Boltenhof 7, 46325 Borken
Registergericht Coesfeld, HRB Nr. 4184 I Ust.-Id.Nr.: DE123762133
Geschäftsführer: Christoph Bröcker, Ludger Hellmann (Sprecher)
Aufsichtsratsvorsitzender: Jürgen Büngeler
Diese E-Mail enthält vertrauliche oder rechtlich geschützte
Informationen. Wenn Sie nicht der beabsichtigte Empfänger sind,
informieren Sie bitte sofort den Absender und löschen Sie diese E-Mail.
Das unbefugte Kopieren dieser E-Mail oder die unbefugte Weitergabe der
enthaltenen Informationen ist nicht gestattet.
More information about the squid-users
mailing list