3/13/12

Configuring Squid Pro

P od c

S ppo

S o e/P ice

Abo

Con ac U

C
Prev

fig

i gS

id P fig ai
Search... Next

e di D. P

e e c

Configuring Squid Pro

Squid proxy is a very popular open-source Internet proxy, which is available for both Unix, Mac and Windows operating systems. It has a large configuration file that can be difficult to edit for people who are not familiar with it. This appendix outlines required to configure Squid for use with PaperCut NG. However it is not a complete guide to configuring Squid, and should be read in conjunction with the Squid Proxy documentation.

id a he ica i

i h LDAP / Ac i e Di ec

When Squid is running on Linux/Mac it is common to authenticate users with an LDAP directory or Microsoft Active Directory (which is also an LDAP v3 compliant directory). The Squid LDAP authentication helpers are used to integrate Squid with an LDAP server. This guide assumes the proxy is Squid 2.5 or greater (with LDAP helpers). Information on the LDAP helpers can be found here: http://www.die.net/doc/linux/man/man8/squid_ldap_auth.8.html If the LDAP helpers are included in your Squid installation, the d _ h(or sometimes names squid_ldap_auth) will be found in a a / a / i / i (or equivalent location where Squid is installed). b d The first step is to configure Squid to authenticate usernames/passwords with the LDAP / Active Directory. You will need to open your Squid configuration file (squid.conf) and make the following changes: Find the a h a a section of the config file (TAG: auth_param), and change the a h a a b i _ a c (Indented text indicates one line) a h aa b i _ a c ga / /i/ i/d _ hb d a a R - "c - a ,c d a ,cc " b d= d i d= i d= - " =dii a , = e ,c D c A c U d= ,cd a ,cc " d= i d= - "a d - AAc " f Mc N e% - 121817 a = h 9.6..5 a h aa b i cide 5 _ a c h a h aa b i e _ a c a Y Og iai N e a a a h aa b i cee i _ a c d a 5 i e These settings tell Squid authenticate names/passwords in the LDAP / Active Directory. The - option indicates the base LDAP distinguished name of our domain. e.g. your.domain.com would be b d= c ,cd a ,cc . d= i d= The - option indicates the user that is used to perform the LDAP query (e.g. an Administrator). This example uses the built-in D Administrator user, however you can use another user of your choice. The - option is the password for the user in the - option. For improved security you can store the password in a file and use the D W/ah /a / d f esyntax instead. _i The - option is used to indicate the LDAP server to connect to. h The - option is required for Squid to connect to Windows Active Directory. R The - option is the LDAP query used to lookup the user. In the above example, A A c f Mc N e % , will match if the user's a = Windows logon name matches the username entered when prompted by Squid. Any LDAP query can be used. An LDAP search query tool can be helpful to help get the syntax correct and to ensure the query works correctly. The % is replaced with what the user enters as their username. g a line to look like this.

Remember to restart Squid to make these changes to come into effect. Then test accessing the Internet and ensure that the Squid prompts for a username and password, and the authentication works as expected. Ensure that the username no appears in the Squid log file.

Re

ic i g I e

e Acce

ih

c edi

PaperCut NG includes a Squid ACL helper that can be used to define access rules so that only users with credit available can access the Internet. The ACL helper is located:
.papercut.com/products/ng/manual/apd -pro -squid.html 1/4

3/13/12

Configuring Squid Pro

Linux (32-bit)- [app-path]/providers/net/bin/linux-i686/squid-acl-helper Linux (64-bit)- [app-path]/providers/net/bin/linux-x64/squid-acl-helper Apple Mac - [app-path]/providers/net/bin/mac/squid-acl-helper

To configure the ACL helper open the Squid config file (e.g. / c e / below.

i . f in a text editor, and make the changes as described dc )

The first step is to define the ACL helper configuration. This is done by adding the following line to the config file in the external ACL type section (TAG: external_acl_type). (NOTE: This is a single line, and is only split over multiple lines for formatting). e e a_c_ e aec _ ei a c d =0%OI 6 LGN [ -ah/ a ] ie /e/i/ af ] d b [ / i-c-e e - [e e] da h

Where [ - a h is the location where PaperCut NG is installed. The - [ e e ]option sets is the machine or IP address of the a ] application server. If the - option is not specified c h a is assumed. The is the number of seconds Squid caches the credit check. Setting this too low will slow down both the proxy and PaperCut NG. Setting this value too high means this it will take longer for users to be denied access once they run out of credit. It is recommended to set the value to between 60 and 300 seconds. The next step is to define an ACL for the new external ACL type defined above. To do this add the following line in the ACL section (TAG: acl). a c aec _ a e e a aec _ ei c d

The final step is to configure Squid so that only users with credit have Internet. To do this add an ACL by adding the following line to the HTTP access (TAG: http_access). The rule should be added above the h _ c e d ac e a line. h _ce ac a aec _ a

It is important to add the ACL so that it works as expected with other defined ACLs. The above ACL will work correctly if only the default Squid ACLs are defined. If other custom Squid ACL rules are used then using the above line might not work as expected. Squid works by finding the first matching ACL rule that it encounters (from top to bottom) and a uses the specified action (allow/deny) and then no other ACLs are tested. If the above rule is used, it will match all users with credit in PaperCut NG and allow Internet access and will not process other rules. For examples, see the section called Squid ACL examples . Remember to restart Squid for the changes to take effect. After restarting test the access controls are working as expected: Access the Internet using the Squid proxy. When prompted, login as a user who has credit available in PaperCut NG. Ensure that access is allowed. In PaperCut NG edit the balance of the user logged into Squid so they have no available credit and set the user as "restricted". The user should no longer have access to the Internet. NOTE: That depending on the the value set on the external ACL helper it may take some time for Squid to recheck if the user has available credit.

id ACL e a

Configuring Squid ACL rules can get complicated when you need to define multiple rules. It is important to understand how Squid processes ACL rules, otherwise it is difficult to achieve the correct result. Squid processes the ACL rules from top to bottom, and applies the allow/deny action to the first matching rule. The Squid documentation and some complex ACL examples can be found here: http://www.visolve.com/squid/squid24s1/access_controls.php#http_access
Ne i a ed S id i h defa ACL e

If using the default squid configuration and no custom ACL rules have been defined then the PaperCut NG ACL should be added below most of the default ACLs but above the h _ c e d ac e a line. For example: h h h h h h _ce ac _ce ac _ce ac _ce ac _ce ac _ce ac a d e d e d e a d e a aae g c h a aae g !ae Sf_ CNET!S_ ONC SL aec _ a

This configuration means that Squid will allow manager access to requests from localhost, deny all other manager access, deny access to unsafe ports, and only allow access if the user has credit in PaperCut NG.
.papercut.com/products/ng/manual/apd -pro -squid.html 2/4

3/13/12
A a a acce he ca i a e

Configuring Squid Pro

To allow access to a local intranet, even if the user does not have credit in PaperCut NG, then the following rules could be used. The i a e ACL is assumed to be defined to include all internal web hosts using either the d or d d a ACL types. i h h h h h h h _ce ac _ce ac _ce ac _ce ac _ce ac _ce ac _ce ac a d e d e d e a a d e aae g c h a aae g !ae Sf_ CNET!S_ ONC SL i ae aec _ a a

This configuration means that Squid will allow access to the Intranet no matter whether they have credit available in PaperCut NG. It does this because the h _ c e a ac i a e rule will match, and access will be allowed and no further rules are processed.
A acce i "De ied I e e U e "g a d he ha e a ai ab e c edi

Some schools have users that are denied Internet access for disciplinary or other reasons. These users are added to the "Denied Internet Users" group on the domain. These students should not have Internet access even if they have available credit in PaperCut NG. This can be achieved using the following rules. This assumes that the d i d g e e_ ACL is defined test for membership of the "Denied Internet Users" group. h h h h h h h _ce ac _ce ac _ce ac _ce ac _ce ac _ce ac _ce ac a d e d e d e d e a d e aae g c h a aae g !ae Sf_ CNET!S_ ONC SL d idg e e_ aec _ a a

This configuration means that Squid will deny access to users in the "Denied Internet Users" group no matter what credit they have in PaperCut NG.

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this manual page. Please don't use this for support requests.

Add Ne

Login

Sh

i g1c
g e

Sort b oldest first

I am new to this but here is my describtion I want squid proxy 2.7 which is running on centos 5.7 to be authenticated by microsoft active directory 2008 that is on a different server. lets assume squid proxy is running on server 1.1.1.1, and the microsodt active directory is running on server 2.2.2.2, the active directoy has a user admn with the password admnpassword. I want squid to prompt users for passwords when accessing the internet and this should be authenticated by microsoft active directory because these users and passwords are stored in microsoft active directoy. I created users user1, usr2, user3 ..etc on microsoft active directory. squid and themicrosoft active
.papercut.com/products/ng/manual/apd -pro -squid.html 3/4

3/13/12

Configuring Squid Pro

directory are both on domainname.co.za, please advice on how to achieve this. I checked that I have /usr/lib/squid/squid_ldap_auth and /usr/lib/squid/squid_ldap_group file as required. So now all I did, is I changed my squid.conf file by removing the ncsa_auth and added squid_ldap_auth as shown below. I COMMENTED THIS OUT from the squid.conf auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid.pass AND ADDED this to the squid.conf auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b dc=domainname, dc=co, dc=za -D cn=admn, cn = users, dc=domainname, dc=co, dc=za -w admnpassword -f sAMAccountName=%s 2.2.2.2 but now i went to /bin and ran squid -k reconfigure and got this squid: ERROR: No running copy Now I m not sure if I understand correctly here that all I need to do inorder to authenticate users with microsft active directory all I have to do is to change the squid.conf file by adding squid_ldap. The other strange thing is that squid_ldap_auth file appears is empty, is this right or is it missing something.

4 weeks ago

Like

Reply

M Subscribe by email

RSS Up Home
Copyright 1999-2012. PaperCut Software International Pty Ltd. All rights reserved.

Prev Appendix D. Proxy server configuration

Next Appendix E. Capacity Planning

PRODUCTS Education Business Client billing Tour Free Software Download PaperCut NG Buy Now Education Prices Business Prices Client Billing Prices Contact Us Company Profile Testimonials Blog Twitter Careers Knowledge Base System Requirements Release History FAQ Purchasing FAQ Legacy Software Copyright 1999-2012. PaperCut Software International Pty Ltd. All rights reserved. e Pa e C i a.F - he Wi d a dN STORE / PRICES COMPAN SUPPORT i af , Mac, Li e . a a e Tech ica Q e i

&S

he e a

support@paperc

O de i g & Sa e Q e

sales@paperc

.papercut.com/products/ng/manual/apd -pro -squid.html

4/4