[squid-users] Squid V 3.5.23 authenticating in AD: User names not showing in log

Rafael Silva Daniel rafaelsilvadaniel at gmail.com
Thu May 16 17:36:57 UTC 2019 

"There is no natural reason why those CONNECT should be exempt from 
authenticating. 

I usually find situations like what you describe happen where someone 
has misunderstood the default security rules and "customized" them a 
bit. They are finely tuned rules, so vast changes to proxy behaviour 
(like complete bypass of auth) can result if updates to them are not 
done correctly."

This is very possible, i inherited this server and tried my best to
implement what my boss asked, but i think it exceded my knowledge of squid,
i came up with these settings searching foruns around the internet but i can
messed it up a bit D:

"Can you please show more of your http_access rules? all of them would be 
best. At minimum all of the ones above that "http_access deny !auth" 
line, and the definition lines for any ACLs used in those rules (include 
that "auth" ACL definition too please). "

suree, thanks for taking a look on it!, this is the complete file, i just
edited the ips:


http_port 3128

dns_nameservers XXXXXXX
visible_hostname proxy
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
strip_query_terms off
err_html_text /usr/share/squid-langpack/pt-br/
url_rewrite_program /usr/bin/squidGuard

auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=FAPEMIG
auth_param ntlm children 100
auth_param ntlm keep_alive off

external_acl_type NT_global_group %LOGIN /usr/lib/squid/ext_wbinfo_group_acl

acl SSL_ports port 443
acl SSL_ports port 8443
acl Safe_ports port 80 # http
acl Safe_ports port 90 # metodo
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080 # CNPq
acl Safe_ports port 3342 #
acl CONNECT method CONNECT
acl auth proxy_auth REQUIRED

acl users external NT_global_group "/etc/squid/fapgrp"

http_access deny !Safe_ports
http_access allow CONNECT
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access deny !users
http_access allow users
http_access deny !auth
http_access allow auth


what do you think? if theres a simpler way to get the AD users of the people
browsing i would use that too,

really thanks, Amos!




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

More information about the squid-users mailing list