+ Post New Thread
Results 1 to 12 of 12
*nix Thread, ntlm_auth | Dansguardian | Squid in Technical; Hi All, I can't seem to get my head around around the following; Setting up (finalizing the process now) a ...
  1. #1
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    31

    ntlm_auth | Dansguardian | Squid

    Hi All,

    I can't seem to get my head around around the following;

    Setting up (finalizing the process now) a Squid proxy for use with our new leased line, however before all that, need to ensure its all working correctly, and the process cannot be bypassed.

    squid.conf (http_port 3128 (will be changed to 127.0.0.1:3128) when DG is working correctly)

    dansguardian.conf (filterip = blank, filterport = 8080, proxyip = 127.0.0.1, proxyport = 3128 (filterip is the machines IP address, which I'll change to 192.168.0.50 at some stage))

    Point Internet Explorer to 192.168.0.50:3128 and straight onto the internet (Single-Sign-On style with ntlm_auth)

    Point Internet Explorer to 192.168.0.50:8080 and stalled with a prompt (Please enter username and password) once network credentials are entered I then roam the internet with DG filtering whatever I tell it too.

    What step am I missing, that routing from DG > SQUID > Internet completly ignores my single sign on>

    Is there another way? Can the incoming connection be on 3128? SQUID > DG > Internet (Does this require redirect of 3128 to 8080? which in turn bypasses authentication?)

    Thanks...

  2. #2

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,157
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    I don't use Dan's Guardian so I may be talking rubbish here :-)

    It looks as if you're doing authentication to Squid and then trying to pass that on to the Dan's Guardian process. If that is the case, then I'm pretty sure you can't - NTLM credentials won't do a 2 hop process.

  3. #3
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    31
    Quote Originally Posted by srochford View Post
    I don't use Dan's Guardian so I may be talking rubbish here :-)

    It looks as if you're doing authentication to Squid and then trying to pass that on to the Dan's Guardian process. If that is the case, then I'm pretty sure you can't - NTLM credentials won't do a 2 hop process.
    I'm trying to get Squid to authenticate, bypassing any Dansguardian authentication.

    I.e. Client connects on IP:8080 (Dansguardian) > Routed via dansguardian.conf settings to 127.0.0.1:3128 (Squid) where it asks for authentication, (It should be single sign on with ntlm_authentication).

    However when clients connect on 8080, they get a single prompt for authentication, where this should all be done silently.

    Trying to pass authentication straight through DG and into Squid, or find an alternate way for access to be given which includes DG filtering.

    Client > Dansguardian > Squid > Internet (Is how it should be setup, but its completely ignoring single-sign-on)

    Client > Squid > Iptables magic > Dansguardian > Internet possible?

  4. #4

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,157
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    I'd hoped that someone else who uses DansGuardian would have posted by now but they haven't so I've done a bit of reading ...

    I can't find anything which describes what you want to do - there's a lot of stuff which doesn't use any authentication - but I don't think you can do it.

    Your clients will connect to a process on port 8080 which doesn't make any kind of challenge. You request that process to fetch a web page. Assuming that your request is not a "bad" request then the DansGuardian process then tries to fetch the page by requesting it from Squid. Squid then issues an NTLM challenge to the DansGuardian process. It doesn't know how to respond to it and has no way of passing it on to the original client so it just sits there. Squid says "no valid response" and abandons the request.

    Your second option looks possible (but I'm afraid I don't understand IPTables either :-() - this time, the client will talk to Squid and respond to the challenge. If the client has a valid username/password then Squid will pass the request on to DansGuardian which then checks to see if the URL is OK and fetches it.

    It's certainly possible to get Squid to talk to another proxy - I've done it when the two proxies are on different PCs but I can't see why it wouldn't work on 1 PC - just need to get the ports right

    good luck!

  5. #5
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,464
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113
    You can do Dansguardian -> Squid -> int with ntlm. What version of DG are you using?

  6. #6
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    31
    Quote Originally Posted by DMcCoy View Post
    You can do Dansguardian -> Squid -> int with ntlm. What version of DG are you using?

    DG 2.8.0.6
    Squid 2.6-STABLE18

  7. #7
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    31
    # Auth plugins
    # These replace the usernameidmethod* options in previous versions. They
    # handle the extraction of client usernames from various sources, such as
    # Proxy-Authorisation headers and ident servers, enabling requests to be
    # handled according to the settings of the user's filter group.
    # Multiple plugins can be specified, and will be queried in order until one
    # of them either finds a username or throws an error. For example, if Squid
    # is configured with both NTLM and Basic auth enabled, and both the 'proxy-basic'
    # and 'proxy-ntlm' auth plugins are enabled here, then clients which do not support
    # NTLM can fall back to Basic without sacrificing access rights.
    #
    # If you do not use multiple filter groups, you need not specify this option.
    #
    #authplugin = '/etc/dansguardian/authplugins/proxy-basic.conf'
    #!! Not compiled !! authplugin = '/etc/dansguardian/authplugins/proxy-ntlm.conf'
    #authplugin = '/etc/dansguardian/authplugins/ident.conf'
    #authplugin = '/etc/dansguardian/authplugins/ip.conf'
    As per Dansguardian 2.9.9.1

    Anyone have any information on the above, would enabling both proxy-basic and proxy-ntlm fix my problems?

  8. #8
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,464
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113
    You need to use the ntlm auth plugin, but may have to compile with it enabled. Otherwise you have to do Squid (ntlm) DG Squid iirc.

    It's squid that needs all the ntlm stuff configured and tested as DG just passes it on with the plugin.

  9. #9
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    31
    Squid > DG > Squid > Internet = ?

    SQUID.CONF
    http_port x.x.x.x:8080 (Internet Explorer)
    http_port 127.0.0.1:3128 (DG Access?)
    cache_peer 127.0.0.1 parent 8081 3130

    DASNGUARDIAN.CONF
    filterip = 127.0.0.1
    filterport = 8081

    proxyip = 127.0.0.1
    proxyport = 3128
    Regards the plugin, is that the x-forwarder plugin found on the Dansguardian website?

    Thanks for the clarification DMcCoy

  10. #10
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,464
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113
    The ntlm plugin for DG only comes with 2.9.x. You can't get DG to do ntlm directly with older versions. That why you need to set up a squid proxy in front to do the ntlm auth with it's ntlm auth plugin.

    For example:

    Client (ntlm) 3128 --> 3128 Squid (ntlm) 8080 --> 8080 DG 3128 --> 3128 Squid 8080 --> 8080 ISP Proxy (or just internet).

    The first squid box does nothing but authentication. There should be a guide around somewhere. Something like this OpenSourceHowTo.org - Squid1-ntlm - DansGuardian - Squid2-cache

  11. Thanks to DMcCoy from:

    ahuxham (24th July 2008)

  12. #11
    ahuxham's Avatar
    Join Date
    Apr 2008
    Posts
    1,122
    Thank Post
    76
    Thanked 138 Times in 109 Posts
    Rep Power
    31
    Two Questions,

    1) Using the S > D > S > Internet method with the following behave properly:
    • Dansguardian log usernames as failed attempts
    • Squid log usernames and all traffic, and I assume squid-cache (2) would be the log file to be hitting


    2) Would it be easier to just download 2.9.9.5 source, recompile, and than use it as D > S > Internet, and I suppose the above list points still take effect,

    Sorry for the questions =(

  13. #12
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,464
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113
    Quote Originally Posted by ahuxham View Post
    Two Questions,

    1) Using the S > D > S > Internet method with the following behave properly:
    • Dansguardian log usernames as failed attempts
    • Squid log usernames and all traffic, and I assume squid-cache (2) would be the log file to be hitting


    2) Would it be easier to just download 2.9.9.5 source, recompile, and than use it as D > S > Internet, and I suppose the above list points still take effect,

    Sorry for the questions =(

    I decided to do the compilation route after getting the first one going, it worked but wasn't as quick as just using the new module. I think I did manage to get the usernames logged correctly, but I'm not so sure about squid although it has been 6 months since I last tried!

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 11
    Last Post: 12th September 2014, 06:02 PM
  2. ntlm_auth
    By ahuxham in forum *nix
    Replies: 8
    Last Post: 30th June 2008, 05:51 PM
  3. Dansguardian
    By DMcCoy in forum *nix
    Replies: 10
    Last Post: 25th January 2008, 01:17 PM
  4. dansguardian
    By callumtuckey in forum How do you do....it?
    Replies: 3
    Last Post: 21st May 2007, 08:43 AM
  5. DansGuardian without local Squid
    By NetworkGeezer in forum *nix
    Replies: 2
    Last Post: 13th February 2007, 02:07 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •