These are the base packages for squid proxy. Winbind is much easier to configure than ldap since you don't have to use install anything on the MS Active Directory server.
# apt-get install squid winbind krb5-user
These packages provide content filtering and reporting capabilities.
# apt-get install squid-guard chastity-list sarg apache
You will need to edit some of the configuration files but once running, you can leave it alone.
edris ampuan wrote:
Dear Pluggers,
We're currently evaluating Squid2.5 and ISA 2004.
However, we can't make (Squid2.5/Fedora3) authenticate to Windows 2003 Active Directory using squid_ldap_auth. We've followed several internet howto's but can't get past the logon screen.
We're attaching the squid.conf for you to see if we missed anything. Thanks in Advance.
########################################################################
# Squid port is 3128; change it if you like http_port 8080 visible_hostname cache.kfmc.med # disable icp icp_port 0
# the WebCleaner parent proxy # Remember to configure WebCleaner to run on port 8080 or change the # port number below #cache_peer 127.0.0.1 parent 8080 0 no-query no-digest cache_peer proxy.alharbitelecom.com parent 8080 0 no-query default
# if you enabled a WebCleaner user and password use this instead:
#cache_peer proxy.alharbitelecom.com parent 8080 0 no-query no-digest login=myuser:mypassword
# some acls acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY
# proxy authentication examples; if you use one of these, also enable the # "myauth" acl below # note: used paths are for a Debian Linux system, adjust as needed
#Squid LDAP Authentication auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=kfmc,dc=med" -D "cn=lbenitez,cn=Users,dc=kfmc,dc=med" -w "password" -f sAMAccountName=%s -h 10.20.4.20 auth_param basic children 5 auth_param basic realm KFMC.MED auth_param basic credentialsttl 6 minutes
#Configuring Group Based Internet Access
external_acl_type InetGroup %LOGIN /usr/lib/squid/squid_ldap_group -R
-b "dc=kfmc,dc=med"
-D "cn=lbenitez,cn=Users,dc=kfmc,dc=med"
-w "password" -f "((&objectclass=person) (sAMAccountName=%v) (memberoff=cn=%a,ou=Users,dc=kfmc,dc=med)) -h 10.20.4.21
acl localnet proxy_auth REQUIRED src 10.20.0.0/16
acl InetAccess external InetGroup kfmc http_access allow localnet InetAccess
# Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl localnet src 10.20.0.0/16 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 631 # cups acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl purge method PURGE #acl CONNECT method CONNECT #acl FTP proto FTP
# Only allow cachemgr access from localhost http_access allow all manager localhost # Only allow purge requests from localhost http_access allow purge # localhost http_access deny purge # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports
# my own rules http_access allow all localhost localnet # And finally deny all other access to this proxy http_access deny all
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph

