Authentication via Windows domain in proxy server

[Algernon]

I have learnt before that Squid works for the users in the LAN to claim services provided in open proxy. Each station can be on the local's net. To prevent that use, for example, visitors or even uninvited guests the services of the proxy, there is no way past the authentication of the user. Squid has a number of ways. So want to know about the simple authentication that can be done in proxy servers. Also I want to do authentication via Windows Domain. So posting here, expecting you people will help me. All I want is to know about an authentication via Windows domain in proxy server. More information about an authentication would be grateful.

[GunFighter]

The simplest form of authentication is equivalent to that the Apache Web server used by default. It makes use of the module ncsa_auth, the translation of the squid-like sources produced by and was stored in the / opt / squid / sbin. The NCSA authentication refers to information on allowed user IDs and their associated passwords from a text file. This can be easily over the existing package in the Apache htpasswd utility (htpasswd2 on Suse Linux with Apache 2.0.x installed) generate:

Code:

cd / etc / squid 
htpasswd-bc proxy_user testuser password

This command creates the file / etc / quid / proxy_user and this adds an account equal to the user "testuser" with password "password" to. Now enable the authentication by editing the file / etc / squid / squid.conf the block of keywords for Basic Authentication to read:

Code:

 
auth_param basic program / opt / squid / sbin / ncsa_auth / etc / squid / proxy_user 
auth_param basic children 5 
auth_param basic realm Squid proxy-caching web server 
auth_param basic credentials 2 hours

It is sufficient, the preceding comment line to free the first and to call the module and the parameters ncsa_auth path to the file containing the user accounts to supplement the.

[FlayoFish]

But though the authentication is armed, but it is not already used by Squid. So unauthenticated users are denied real, two modifications to the configuration are necessary. Be done at the point where you previously connected your local network for access via proxy free:

Code:

 
src 192.168.1.0/24 acl our_networks 
acl AUTH_USER proxy_auth REQUIRED 
http_access allow our_networks AUTH_USER

The newly inserted row acl auth_users ... means that the user must register with the proxy itself. The extension of the following line to the parameters AUTH_USER specifies that only those users get access proxy, which are authenticated and given IP address from the pool. A newly configured authentication method Squid detects only after a reboot. Therefore, it is changing the authentication method is always necessary for the proxy server to stop and start anew.

[Suzane]

Now, it is not really effective, the user accesses directly on the proxy server to manage. Finally, in most networks already have a central user directory, usually in the form of a Windows domain. This too can use Squid to authenticate the user. To do this, simply replace the authentication helper ncsa_auth msnt_auth by the module. The entry in the configuration file / etc / squid / squid.conf is then:

Code:

auth_param basic program / opt / squid / sbin / msnt_auth

Msntauth.conf addition, the file / etc / squid / edit or create if it does not exist. A maximum of three lines meet for a working setup:

Code:

server <fqdn.of.pdc> <fqdn.of.bdc> <domainname> 
AllowUsers / etc / squid / allowed_users 
denyusers / etc / squid / denied_users

For the parameters <fqdn...> domain is, the complete name of the host state, including, for example pdc.mydomain nt. It is not enough to write only the host name and IP addresses are not allowed. Is your network in no backup domain controller exists, you just put the PDC up a second time.

[Reckon]

I would like to comment some more things on "Suzane's" post. Special importance is the two files mentioned and denied_users to allowed_users. If the former is absent or empty, all the domain controllers are generally known authorized user - unless, the account is listed in denied_users file. Contains allowed_users but linked, then get access more than the called user to the proxy. An account is available in two files of the users receive no access because the deny list takes precedence over the Allow list.

[Samsher]

As you may have noticed that the control of access rights to the key central role plays a acl. Its mission is to provided a variety of Squid Access Control Lists (ACLs) with information on show will be evaluated later by the access commands. Unfortunately, the ACL system of Squid is as complex as it is powerful. An example of this clarified, we assume you want all users to access Web-only content unlock, this is normal but only during working hours. In addition, certain users will also have the ability to retrieve data via FTP. First you need to change the default for the secure port. You can find these in the Squid configuration by searching for the string acl Safe_ports. Here, comment out all entries except the port 80. Additionally, an entry for FTP is to be made.

[Aldous]

You also need additional ACL definitions in order to identify the legitimate user for FTP and define the permitted times, and advanced filter rules. What we have now clearly defined? First you define the ACL ftp_port its own port range so that it can later be selected. The additional definition in the group Safe_ports prevents a condition included in the default configuration ACL clause prevents access to the FTP port. The ACL ftp_user defines a subset of the authenticated user, the ACL inet_time determined the times when Internet access is granted at all. First, now uses the filter that checks whether an access should be granted to the FTP port. If not the next rule the FTP ports blocked completely. The remaining rules ensure that only authenticated users access to the remaining ports - in our case, the port 80 for HTTP requests - received.