+ Post New Thread
Results 1 to 9 of 9
Internet Related/Filtering/Firewall Thread, Squid Proxy Server issues in Technical; Hello, I'm new to these forums but have used many threads through my process of creating my Squid Proxy server ...
  1. #1
    Bullet333's Avatar
    Join Date
    Apr 2013
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Squid Proxy Server issues

    Hello,

    I'm new to these forums but have used many threads through my process of creating my Squid Proxy server for my company. I'm glad to finally be a part of the community.

    First off I have a Squid Proxy Server installed on Ubuntu as a VM on Hypver-V with Windows Server 2008 R2. My company has one PDC and one DC, which also acts as the DNS. We've been having a lot of security issues recently and I wanted to try my hand at setting up a Web Filtering server (which is my first Linux server ever built). I spent about a week setting it up and wrote down my process of how I did it. I used DansGuardian as the Web Filter with Bannerfilter.

    Now I originally had the Squid Server working fine for a week until I attempted to join and authenticate it with my Windows Domain. That's when all hell broke loose! Users can no longer browse the internet using HTTP (although HTTPS works, Dansguardian doesn't filter it). I did modify my squid.conf a lot to further improve the security from my previous ~5 lined squid.conf that worked before. I will link it below:

    Code:
    visible_hostname squidhttp_port 3128
    hierarchy_stoplist cgi-bin ?
    
    
    acl all src all
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443 563 21
    acl Safe_ports port 80 #http
    acl Safe_ports port 21 #ftp
    acl Safe_ports port 443 563 #https, snews
    acl Safe_ports port 70 #gopher
    acl Safe_ports port 210 #wais
    acl Safe_ports port 1025-65535 #unregistered ports
    acl Safe_ports port 280 #http-mgmt
    acl Safe_ports port 488 #gss-http
    acl Safe_ports port 591 #filemaker
    acl Safe_ports port 777 #multiling http
    acl CONNECT method CONNECT
    
    
    http_access allow manager localhost
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localhost
    http_reply_access allow all
    
    
    acl FTP proto FTP
    always_direct allow FTP
    
    
    cache_mgr email@domain.com
    cache_effective_user squid
    cache_effective_group squid
    I removed several of the authentication acl's in order to troubleshoot further, but what I've found is that I can only access the internet through HTTP if I add 'http_access allow all' above 'http_access allow manager localhost'. I've spent an entire day trying to figure out what the problem is and even restored back to my older config that used to work but no longer does.

    Code:
    cache_mem 4 MBcache_swap_low 85
    cache_swap_high 90
    # note read the config file about this and adjust it
    # to what your disk(s) can do, and allow for log files
    cache_dir ufs /var/log/squid3/ 100 16 256
    cache_access_log /var/log/squid3/access.log
    cache_log /var/log/squid3/cache.log
    cache_store_log /var/log/squid3/store.log
    pid_filename /var/run/squid.pid
    
    
    # note: you may need to increase children based on your number of users
    auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
    auth_param ntlm children 15
    # ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
    
    
    # warning: basic authentication sends passwords plaintext
    # a network sniffer can and will discover passwords
    auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
    auth_param basic children 5
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours
    I have Samba, Winbind, Webmin and all updates. Since I restored I still have to install Kerberos, but it worked fine before without it so I'm not so worried about that. Can someone please assist me or point me in the right direction? I really don't know what else to do!

    Thank you.

  2. #2
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,539
    Thank Post
    524
    Thanked 294 Times in 270 Posts
    Rep Power
    84
    The easier option for you might be to download pfsense, it has squid and dansguardian packages built in but it's got a nice GUI and to the avergae user looks like a router interface like you'd have at home so it's fairly simple. Pf also has Firewalling and VPN.

    It's free to use, download the ISO and install in a VM or use an old machine.

    pfSense Open Source Firewall Distribution - Home

    I have implemented this at a pretty large company, over 1000 users on an IBM server, it also serves Captive Portal for WiFi, It's easier to get up and running and to manage and I believe you can integrate it into AD although never tried.

    Good Luck.

  3. #3


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,485
    Thank Post
    867
    Thanked 854 Times in 675 Posts
    Rep Power
    197
    Squid authentication is a well known minefield of difficulty. Sometimes virtual machines suffer clock drift; if there's a differential between squid, the AD, and your clients, things will not work.

    I should also mention that Smoothwall is an alternative to the "DIY" route: we do an all-in one appliance including Squid and (proprietary software) Dansguardian3 that will make your life a bunch easier, at the cost of a few pictures of presidents drop me a PM/email if you want a quote.

    Tom

  4. #4
    Bullet333's Avatar
    Join Date
    Apr 2013
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I appreciate the replies but I'm not that interested in replacing my problem. I already have a firewall and VPN, so I'd rather solve the issue. I can supply you with more information if required.

    The proxy doesn't have to be authenticated with my domain as that would have just been a bonus feature. Do you guys think it is related to my ACL's? Considering when I add the 'http_access allow all', the internet works but doesn't get filtered. When I remove that ACL there is no HTTP access.

  5. #5

    Join Date
    Feb 2007
    Location
    Leicestershire
    Posts
    271
    Thank Post
    1
    Thanked 5 Times in 5 Posts
    Rep Power
    27
    Quote Originally Posted by cpjitservices View Post
    The easier option for you might be to download pfsense, it has squid and dansguardian packages built in but it's got a nice GUI and to the avergae user looks like a router interface like you'd have at home so it's fairly simple. Pf also has Firewalling and VPN.

    It's free to use, download the ISO and install in a VM or use an old machine.

    pfSense Open Source Firewall Distribution - Home

    I have implemented this at a pretty large company, over 1000 users on an IBM server, it also serves Captive Portal for WiFi, It's easier to get up and running and to manage and I believe you can integrate it into AD although never tried.

    Good Luck.
    Just been looking at pfsense and can't see any mention of dansguardian?

  6. #6
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,539
    Thank Post
    524
    Thanked 294 Times in 270 Posts
    Rep Power
    84
    Quote Originally Posted by nathan View Post
    Just been looking at pfsense and can't see any mention of dansguardian?
    Trust me its in there, it's on the package manager !!, im using it through pfsense right now!

    Im sure other people who use it also use DG on pfsense,

    pfSense & DansGuardian with Transparent Proxy - YouTube

  7. #7

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,819
    Thank Post
    110
    Thanked 589 Times in 510 Posts
    Blog Entries
    1
    Rep Power
    226
    I know a little late (this isn't the right forum for this, hence why I didn't notice it). But you have no http_access rule to allow any connections other from localhost. You need something like this as part of your ACL chain to allow authenticated users to use the proxy.

    Code:
    acl authenticated_users proxy_auth REQUIRED
    http_access allow http port_80 authenticated_users
    Any other problems are caused by your auth helpers not working. You can manually run the auth helpers from the command line to debug that.
    Last edited by Geoff; 19th April 2013 at 09:08 PM.

  8. #8

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    2,028
    Thank Post
    119
    Thanked 513 Times in 347 Posts
    Blog Entries
    2
    Rep Power
    288
    As Geoff spotted, your conf file is not specifying any authentication which is why it isn't working.

    The good news is I've done this before and have full notes. The bad news is it's Friday and I won't be able to get them until Monday.
    If you still need help, reply here.

    As for joining Ubuntu to AD, I found this concise guide useful.
    http://phreek.org/guides/ubuntu-1204...-member-server
    Last edited by elsiegee40; 3rd May 2013 at 09:41 PM. Reason: To ease jinnantonnixx's grammatical pain!

  9. #9

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,006
    Thank Post
    1,854
    Thanked 2,302 Times in 1,701 Posts
    Rep Power
    821
    Thread moved to filtering forum. Mud slinging removed. As OP has resolved issue, thread locked to prevent further issues.

SHARE:
+ Post New Thread

Similar Threads

  1. Squid Proxy Server and you tube video
    By wellscs in forum *nix
    Replies: 1
    Last Post: 15th April 2009, 03:47 PM
  2. Squid Proxy Server Keeps Stopping
    By wellscs in forum *nix
    Replies: 39
    Last Post: 17th March 2009, 02:49 PM
  3. Internet proxy server cache issues
    By _Bat_ in forum Wireless Networks
    Replies: 5
    Last Post: 6th November 2006, 12:36 PM
  4. Sage Payroll and Proxy Server
    By pete in forum Windows
    Replies: 11
    Last Post: 10th February 2006, 01:40 PM
  5. Default gateways and proxy server
    By snakepottery in forum Windows
    Replies: 8
    Last Post: 21st November 2005, 02:57 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •