The following procedures were used on RedHat Enterprise Linux 5.x.
The following previous post outlined how to get the linux server joined to domain and supporting ADS authentication. This link also contains information for RHEL6.x in the comments as well :
Howto Join An Active Directory Server using RHEL5.x/CentOS5.x and Samba 3.0.x
The key is getting the /etc/squid/squid/conf right. I have included the entire configuration used. A lot of the options are not required in all situations. I have a number of things going on here. Many of which I could clean up and make better, but I wanted to leave them in here because I know this configuration works. I actually have three proxy servers (two peers) in the configuration. The configuration forwards the requests to one of the two peers based upon the site accessed. This is probably not required for most deployments.
# cat /etc/squid/squid.conf
# Port squid listens on
http_port 3128
...
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_dir null /tmp
access_log /var/log/squid/access.log common
# To support ADS credentials for access.
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
# Begin Group
# To support ADS group membership requirements.
external_acl_type WindowsGroup ttl=60 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
# End Group
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
# To allow sites that do not work with NTLM. Created a list of sites that do not seem to work using NTLM
# to exclude from authentication requirement.
acl allowsites url_regex -i "/etc/squid/allowedsites.acl"
# Begin Group
# ACLs to get ADS group membership. I have two groups here. One group has unrestricted access
# and the other limited. The ADS groups used here are ProxyAccess and ProxyAccessLimited.
acl InWindowsGroup external WindowsGroup ProxyAccess
acl InLimitedWindowsGroup external WindowsGroup ProxyAccessLimited
# End Group
# Begin Facebook test.
# These ACLs are set up to manage which users can access Facebook in this instance.
# List of users.
acl UnRestrictedUsers proxy_auth "/etc/squid/UnRestrictedUsers.acl"
# List of sites allowed to these users.
acl ExcemptedSites url_regex -i "/etc/squid/ExcemptedSites.acl"
# List of managed domains.
acl RestrictedDomains dstdomain "/etc/squid/RestrictedDomains.acl"
# End Facebook test.
# Begin limited access test.
# This is where the specific restrictions are made for the ProxyAccessLimited users.
acl LimitAllowedSites url_regex -i "/etc/squid/LimitAllowedSites.acl"
acl LimitRestrictions dstdomain "/etc/squid/LimitRestrictions.acl"
# End store access test.
acl MyACL proxy_auth REQUIRED
acl java browser java
acl java browser Java
acl broken dstdomain .aa.com
header_access Accept-Encoding deny broken
http_access allow all java
http_access allow all allowsites
# Begin Group
# This will allow users in the ProxyAccessLimited ADS group access to the sites listed in the
# /etc/squid/LimitAllowedSites.acl file, but access to the sites listed in the /etc/squid/LimitRestrictions.acl
# file. Note: a "." in the LimitRestrictions.acl file will limit the users only to the sites listed in the
# LimitAllowedSites.acl file.
http_access allow InLimitedWindowsGroup LimitAllowedSites !LimitRestrictions
# This will allow users in the ProxyAccess ADS group access to any sites, and permits those listed in the
# /etc/squid/UnRestrictedUsers.acl file access to the site listed in the /etc/squid/ExcemptedSites.acl file.
http_access allow InWindowsGroup UnRestrictedUsers ExcemptedSites
# This will allow users in the ProxyAccess ADS group access to any sites, except those listed in the
# /etc/squid/ExcemptedSites.acl file.
http_access allow InWindowsGroup !ExcemptedSites
# End Group
http_access deny all
never_direct allow all
# This is where the two peers are defined.
cache_peer myproxy01.domain.com parent 80 0 no-query default
cache_peer myproxy02.domain.com parent 80 0 no-query default
# This determines which peer is going to used based the sites listed in the /etc/squid/RestrictedDomains.acl
# file.
cache_peer_access myproxy01.domain.com deny RestrictedDomains
cache_peer_access myproxy02.domain.com allow RestrictedDomains
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_group squid
coredump_dir /var/spool/squid
memory_pools off
half_closed_clients off
The .acl files listed in the configuration are either just a list of usernames (ADS or otherwise), or a list of domains. In the case of the domains, you can use the following syntax to signify all host for a particular domain:
.mydomain.com
Below, I have tried to strip out the other things to demonstrate all that is needed to support proxy access via ADS group membership.
Excerpts from /etc/squid/squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
...
# Begin Group
external_acl_type WindowsGroup ttl=60 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
# End Group
...
# Begin Group
acl InWindowsGroup external WindowsGroup ProxyAccess
acl InLocationsWindowsGroup external WindowsGroup ProxyAccessLocations
# End Group
...
# Begin store access test.
acl LocationAllowedSites url_regex -i "/etc/squid/LocationAllowedSites.acl"
acl LocationRestrictions dstdomain "/etc/squid/LocationRestrictions.acl"
# End store access test.
...
acl MyACL proxy_auth REQUIRED
...
# Begin Group
http_access allow InLocationsWindowsGroup LocationAllowedSites !LocationRestrictions
http_access allow InWindowsGroup
# End Group
...
Also, if you want to customize the default access denied page that users receive when they go to a site that they are not permitted to access, you can add you customizations to the /usr/share/squid/errors/English/ERR_ACCESS_DENIED file. I believe you can do a number of other creative things with error pages, but I have not looked in to that.
If you want to add/remove sites from the files, you just need to issue a “service squid reload” to activate the new settings.