{"id":678,"date":"2012-01-20T11:55:11","date_gmt":"2012-01-20T18:55:11","guid":{"rendered":"http:\/\/jim-zimmerman.com\/?p=678"},"modified":"2012-01-20T12:58:52","modified_gmt":"2012-01-20T19:58:52","slug":"how-to-blockallow-proxy-access-via-squid-proxy-using-ads-authentication","status":"publish","type":"post","link":"https:\/\/jim-zimmerman.com\/?p=678","title":{"rendered":"How to block\/allow proxy access via squid proxy using ADS authentication and group membership."},"content":{"rendered":"

The following procedures were used on RedHat Enterprise Linux 5.x.<\/p>\n

The following previous post outlined how to get the linux server joined to domain and supporting ADS authentication. This link also contains information for RHEL6.x in the comments as well :<\/p>\n

Howto Join An Active Directory Server using RHEL5.x\/CentOS5.x and Samba 3.0.x<\/a><\/p>\n

The key is getting the \/etc\/squid\/squid\/conf right. I have included the entire configuration used. A lot of the options are not required in all situations. I have a number of things going on here. Many of which I could clean up and make better, but I wanted to leave them in here because I know this configuration works. I actually have three proxy servers (two peers) in the configuration. The configuration forwards the requests to one of the two peers based upon the site accessed. This is probably not required for most deployments.<\/p>\n

# cat \/etc\/squid\/squid.conf<\/p>\n

# Port squid listens on
\nhttp_port 3128
\n...
\nhierarchy_stoplist cgi-bin ?<\/p>\n

acl QUERY urlpath_regex cgi-bin \\?
\ncache deny QUERY<\/p>\n

acl apache rep_header Server ^Apache
\nbroken_vary_encoding allow apache<\/p>\n

cache_dir null \/tmp<\/p>\n

access_log \/var\/log\/squid\/access.log common<\/p>\n

# To support ADS credentials for access.
\nauth_param ntlm program \/usr\/bin\/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
\nauth_param ntlm children 10
\nauth_param ntlm keep_alive on<\/p>\n

# Begin Group
\n# To support ADS group membership requirements.
\nexternal_acl_type WindowsGroup ttl=60 children=5 %LOGIN \/usr\/lib\/squid\/wbinfo_group.pl
\n# End Group <\/p>\n

refresh_pattern ^ftp:\t\t1440\t20%\t10080
\nrefresh_pattern ^gopher:\t1440\t0%\t1440
\nrefresh_pattern .\t\t0\t20%\t4320<\/p>\n

acl all src 0.0.0.0\/0.0.0.0
\n# To allow sites that do not work with NTLM. Created a list of sites that do not seem to work using NTLM
\n# to exclude from authentication requirement.
\nacl allowsites url_regex -i \"\/etc\/squid\/allowedsites.acl\"<\/p>\n

# Begin Group
\n# ACLs to get ADS group membership. I have two groups here. One group has unrestricted access
\n# and the other limited. The ADS groups used here are ProxyAccess and ProxyAccessLimited.
\nacl InWindowsGroup external WindowsGroup ProxyAccess
\nacl InLimitedWindowsGroup external WindowsGroup ProxyAccessLimited
\n# End Group <\/p>\n

# Begin Facebook test.
\n# These ACLs are set up to manage which users can access Facebook in this instance.
\n# List of users.
\nacl UnRestrictedUsers proxy_auth \"\/etc\/squid\/UnRestrictedUsers.acl\"
\n# List of sites allowed to these users.
\nacl ExcemptedSites url_regex -i \"\/etc\/squid\/ExcemptedSites.acl\"
\n# List of managed domains.
\nacl RestrictedDomains dstdomain \"\/etc\/squid\/RestrictedDomains.acl\"
\n# End Facebook test.<\/p>\n

# Begin limited access test.
\n# This is where the specific restrictions are made for the ProxyAccessLimited users.
\nacl LimitAllowedSites url_regex -i \"\/etc\/squid\/LimitAllowedSites.acl\"
\nacl LimitRestrictions dstdomain \"\/etc\/squid\/LimitRestrictions.acl\"
\n# End store access test.<\/p>\n

acl MyACL proxy_auth REQUIRED
\nacl java browser java
\nacl java browser Java<\/p>\n

acl broken dstdomain .aa.com
\nheader_access Accept-Encoding deny broken <\/p>\n

http_access allow all java
\nhttp_access allow all allowsites<\/p>\n

# Begin Group
\n# This will allow users in the ProxyAccessLimited ADS group access to the sites listed in the
\n# \/etc\/squid\/LimitAllowedSites.acl file, but access to the sites listed in the \/etc\/squid\/LimitRestrictions.acl
\n# file. Note: a \".\" in the LimitRestrictions.acl file will limit the users only to the sites listed in the
\n# LimitAllowedSites.acl file.
\nhttp_access allow InLimitedWindowsGroup LimitAllowedSites !LimitRestrictions
\n# This will allow users in the ProxyAccess ADS group access to any sites, and permits those listed in the
\n# \/etc\/squid\/UnRestrictedUsers.acl file access to the site listed in the \/etc\/squid\/ExcemptedSites.acl file.
\nhttp_access allow InWindowsGroup UnRestrictedUsers ExcemptedSites
\n# This will allow users in the ProxyAccess ADS group access to any sites, except those listed in the
\n# \/etc\/squid\/ExcemptedSites.acl file.
\nhttp_access allow InWindowsGroup !ExcemptedSites
\n# End Group <\/p>\n

http_access deny all
\nnever_direct allow all
\n# This is where the two peers are defined.
\ncache_peer myproxy01.domain.com<\/em> parent 80 0 no-query default
\ncache_peer myproxy02.domain.com<\/em> parent 80 0 no-query default<\/p>\n

# This determines which peer is going to used based the sites listed in the \/etc\/squid\/RestrictedDomains.acl
\n# file.
\ncache_peer_access myproxy01.domain.com<\/em> deny RestrictedDomains
\ncache_peer_access myproxy02.domain.com<\/em> allow RestrictedDomains<\/p>\n

acl manager proto cache_object
\nacl localhost src 127.0.0.1\/255.255.255.255
\nacl to_localhost dst 127.0.0.0\/8
\nacl SSL_ports port 443
\nacl Safe_ports port 80\t\t# http
\nacl Safe_ports port 21\t\t# ftp
\nacl Safe_ports port 443\t\t# https
\nacl Safe_ports port 70\t\t# gopher
\nacl Safe_ports port 210\t\t# wais
\nacl Safe_ports port 1025-65535\t# unregistered ports
\nacl Safe_ports port 280\t\t# http-mgmt
\nacl Safe_ports port 488\t\t# gss-http
\nacl Safe_ports port 591\t\t# filemaker
\nacl Safe_ports port 777\t\t# multiling http
\nacl CONNECT method CONNECT<\/p>\n

http_access allow manager localhost
\nhttp_access deny manager
\nhttp_access deny !Safe_ports
\nhttp_access deny CONNECT !SSL_ports
\nhttp_access allow localhost
\nhttp_access deny all<\/p>\n

http_reply_access allow all<\/p>\n

icp_access allow all<\/p>\n

cache_effective_group squid<\/p>\n

coredump_dir \/var\/spool\/squid<\/p>\n

memory_pools off<\/p>\n

half_closed_clients off
\n<\/code><\/p>\n

The .acl files listed in the configuration are either just a list of usernames (ADS or otherwise), or a list of domains. In the case of the domains, you can use the following syntax to signify all host for a particular domain:<\/p>\n

.mydomain.com
\n<\/code><\/p>\n

Below, I have tried to strip out the other things to demonstrate all that is needed to support proxy access via ADS group membership.<\/p>\n

Excerpts from \/etc\/squid\/squid.conf:
\nauth_param ntlm program \/usr\/bin\/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
\nauth_param ntlm children 10
\nauth_param ntlm keep_alive on
\n...
\n# Begin Group
\nexternal_acl_type WindowsGroup ttl=60 children=5 %LOGIN \/usr\/lib\/squid\/wbinfo_group.pl
\n# End Group
\n...
\n# Begin Group
\nacl InWindowsGroup external WindowsGroup ProxyAccess
\nacl InLocationsWindowsGroup external WindowsGroup ProxyAccessLocations
\n# End Group
\n...
\n# Begin store access test.
\nacl LocationAllowedSites url_regex -i \"\/etc\/squid\/LocationAllowedSites.acl\"
\nacl LocationRestrictions dstdomain \"\/etc\/squid\/LocationRestrictions.acl\"
\n# End store access test.
\n...
\nacl MyACL proxy_auth REQUIRED
\n...
\n# Begin Group
\nhttp_access allow InLocationsWindowsGroup LocationAllowedSites !LocationRestrictions
\nhttp_access allow InWindowsGroup
\n# End Group
\n...<\/code><\/p>\n

Also, if you want to customize the default access denied page that users receive when they go to a site that they are not permitted to access, you can add you customizations to the \/usr\/share\/squid\/errors\/English\/ERR_ACCESS_DENIED file. I believe you can do a number of other creative things with error pages, but I have not looked in to that.<\/p>\n

If you want to add\/remove sites from the files, you just need to issue a “service squid reload<\/em>” to activate the new settings.<\/p>\n","protected":false},"excerpt":{"rendered":"

The following procedures were used on RedHat Enterprise Linux 5.x. The following previous post outlined how to get the linux server joined to domain and supporting ADS authentication. This link also contains information for RHEL6.x in the comments as well : Howto Join An Active Directory Server using RHEL5.x\/CentOS5.x and Samba 3.0.x The key is [&hellip<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[83,40,239,48,50,86],"class_list":["post-678","post","type-post","status-publish","format-standard","hentry","category-documentation","tag-ads","tag-centos","tag-groups","tag-linux","tag-redhat","tag-squid"],"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/678","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=678"}],"version-history":[{"count":4,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/678\/revisions"}],"predecessor-version":[{"id":682,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/678\/revisions\/682"}],"wp:attachment":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=678"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=678"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=678"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}