Squid

From Q
Jump to navigation Jump to search

Description

Now that our Samba is connected to our Windows ADS we can start to authentificate our Squid users against Windows ADS Accounts and/or Groups.

In this setup we also have an additional caching firewall proxy content-filter (cache_peer) infront of our Squid machine.

We also enable SNMP queries which we can feed to MRTG to produce nice graphs later on.

Dependencies

USE-Flags

File: /etc/portage/package.use
net-proxy/squid kerberos samba snmp

Installation

# emerge squid

Allow squid to use samba winbind by changing group ownership of the winbindd_privileged directory to the group squid runs under.

# chown root:squid /var/cache/samba/winbindd_privileged
# chmod 750 /var/cache/samba/winbindd_privileged

Configuration

File: /etc/squid/squid.conf

TAG: external_acl_type

# check logged in users group membership using wbinfo from samba
external_acl_type NT_global_group children-max=20 ttl=900 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl
  • TAG: auth_param
# NTLM authentification (automatic authentification against AD)
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20 startup=0 idle=1
auth_param ntlm keep_alive on
# Basic authentification (manual user/password authentification against AD)
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 20 startup=5 idle=1
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
  • TAG: acl
# Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
# acl <aclname> <acltype> <definition>
# Members of the ADS group WWW
acl ProxyUsers external NT_global_group WWW
# Need to be authorized
acl AuthorizedUsers proxy_auth REQUIRED
# Domains accessible via our intranet
acl local-servers dstdomain .intra .intranet
# IP's accessible via our intranet
acl local-network dst 10.0.0.0/8
# SNMP access
acl snmppublic snmp_community public

# Comment out, we don't want access for the whole localnet
#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
#
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
  • TAG: http_access
# Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# Comment out, we don't want access for the whole localnet
#http_access allow localnet

# Allow the localhost to have access by default
http_access allow localhost
# Allow intranet access for unauthorized/all users
http_access allow local-servers
http_access allow local-network
# Allow access for authorized users
http_access allow AuthorizedUsers ProxyUsers

# And finally deny all other access to this proxy
http_access deny all
  • TAG: icp_access
# Comment out since we don't have a localnet acl anymore
#icp_access allow localnet
icp_access deny all
  • TAG: htcp_access
# Comment out since we don't have a localnet acl anymore
#htcp_access allow localnet
htcp_access deny all
  • TAG: http_port
# Squid normally listens to port 3128
http_port 3128
  • TAG: cache_peer
# Optional: Tell our Squid to send everything to our content-filter/firewall gateway
# Comment this out if you don't have another proxy infront of Squid
cache_peer fw.yourdomain.local parent 8080 7 no-query no-delay default
  • TAG: hierarchy_stoplist
hierarchy_stoplist cgi-bin ?
  • TAG: access_log
access_log /var/log/squid/access.log squid
  • TAG: refresh_pattern
# Suggested default:
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern (cgi-bin|\?)    0       0%      0
refresh_pattern .               0       20%     4320
  • TAG: cache_mgr
cache_mgr administrator@yourdomain.local
  • TAG: snmp_port
# Make our Squid listen for SNMP queries on port 3401
snmp_port 3401
  • TAG: snmp_access
# Allow localhost to query our Squid and deny all others
snmp_access allow snmppublic localhost
snmp_access deny all
  • TAG: icp_port
icp_port 3130
  • TAG: error_directory
# Localize our error messages
error_directory /usr/share/squid/errors/German
  • TAG: always_direct
# Optional: Only required when using a cache_peer
# Tell Squid to bypass our cache_peer for our local servers and networks
always_direct allow local-servers
always_direct allow local-network
  • TAG: never_direct
# Optional: Only required when using a cache_peer
# Tell Squid to use our cache_peer for everything else
never_direct allow all
  • TAG: forwarded_for
forwarded_for off
  • TAG: coredump_dir
# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

Finalize

# /etc/init.d/squid start
# rc-update add squid default

Testing

# snmpwalk -Cc -v1 -c public -m /usr/share/squid/mib.txt localhost:3401 .1.3.6.1.4.1.3495

Issues & Fixes

cache.log: WARNING: All xx/xx ntlmauthenticator processes are busy

2013/05/23 07:47:01 kid1| WARNING: All 35/35 ntlmauthenticator processes are busy.
2013/05/23 07:47:01 kid1| WARNING: 35 pending requests queued
2013/05/23 07:47:01 kid1| WARNING: Consider increasing the number of ntlmauthenticator processes in your config file.

Raise the children limit to a value which suits your needs.

File: /etc/squid/squid.conf

TAG: auth_param

auth_param ntlm children 100 startup=10 idle=5

cache.log: WARNING! Your cache is running out of filedescriptors

First you need to raise the allowed system limits, see File descriptor.

File: /etc/squid/squid.conf

TAG: max_filedescriptors

max_filedesc 4096
# squidclient mgr:info
File descriptor usage for squid:
        Maximum number of file descriptors:   4096
        Largest file desc currently in use:    945
        Number of file desc currently in use:  926
        Files queued for open:                   0
        Available number of file descriptors: 3170
        Reserved number of file descriptors:   100
        Store Disk files open:                   0

Further Reading

  • MRTG - Get nice graphs out of your SNMP data