[squid-users] Squid V 3.5.23 authenticating in AD: User names not showing in log

Amos Jeffries squid3 at treenet.co.nz
Fri May 17 03:06:17 UTC 2019


On 2019-05-17 05:36, Rafael Silva Daniel wrote:
> 
> 
> http_port 3128
> 
> dns_nameservers XXXXXXX
> visible_hostname proxy
> cache_dir ufs /var/spool/squid 100 16 256
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> strip_query_terms off
> err_html_text /usr/share/squid-langpack/pt-br/

The above directive has not been supported since Squid-3.1. Please 
remove.

You seem to be wanting that pt-br to be your default error page 
language?

If that is correct, then use this instead:
   error_default_language pt-br


> url_rewrite_program /usr/bin/squidGuard
> 
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=FAPEMIG
> auth_param ntlm children 100
> auth_param ntlm keep_alive off
> 
> external_acl_type NT_global_group %LOGIN 
> /usr/lib/squid/ext_wbinfo_group_acl
> 
> acl SSL_ports port 443
> acl SSL_ports port 8443
> acl Safe_ports port 80 # http
> acl Safe_ports port 90 # metodo
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 8080 # CNPq
> acl Safe_ports port 3342 #

8080 and 3342 are already part of the 1024-65535 range. You can remove 
them from the above list.


> acl CONNECT method CONNECT
> acl auth proxy_auth REQUIRED
> 
> acl users external NT_global_group "/etc/squid/fapgrp"
> 
> http_access deny !Safe_ports
> http_access allow CONNECT

Here is the problem, exactly as suspected. The above line is supposed to 
be:
   http_access deny CONNECT !SSL_Ports

After this change alone you will find that HTTPS is only accessible to 
users once they login.

If you then find out some CONNECT tunnels need to go to any other ports, 
then you can add those numbers to the SSL_Ports list.
Just be careful and investigate whether that is a real need first due to 
how CONNECT lets arbitrary traffic through the proxy.


> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost

NP: traffic from localhost (127.0.0.1/8 or [::1]/128 IP ranges) will not 
be logged with a username.

> http_access deny !users
> http_access allow users
> http_access deny !auth
> http_access allow auth
> 

"allow users" is redundant with "allow auth". And users test relies on 
auth having already happened.

I would reorder these few lines to be:

  http_access deny !auth
  http_access deny !users
  http_access allow auth

That removes several helper lookups from being needed. Which gives a 
small performance gain.
NTLM is still the worst cause of delays with this whole setup though.


> 
> what do you think? if theres a simpler way to get the AD users of the 
> people
> browsing i would use that too,
> 

I recommend you start looking into Kerberos authentication against AD.
While its not exactly simpler for admin, it is a huge performance boost 
and security improvement.

Microsoft also officially deprecated NTLM in 2006 and been formally 
removing support from their software since Vista.
So there is future-proofing the network security system as another gain.

Amos


More information about the squid-users mailing list