Squid web proxy

• Links: linux/tinyproxy

2022 - NTLM bad idea now

• Update from AWS support for NTLM authentication not supported through loadbalancer.

  The specific issue with NTLM and HTTP reverse proxies like ALB is that IIS processes the NTLM authentication and applies it to the TCP connection that the HTTP request came over. ALB re-uses these TCP connections to targets for requests from multiple clients. Since the backend target (IIS) has now authenticated a TCP connection for a user, the next request (possibly from a different user) will be considered authenticated as the original user. NTLM is outdated and should be avoided. 
  
  You can use Kerberos authentication to essentially perform what Windows authentication does

2009

• My goal is to keep notes on how to enable Windows AD authentication on Squid3.x

• http://www.papercut.com/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory

I joined the domain using "net rpc join -S PDC -U Administrator" # wbinfo -t > checking the trust secret via RPC calls succeeded > # wbinfo -u # wbinfo -g

http://www.cyberciti.biz/faq/squid-ntlm-authentication-configuration-howto/

• Not tested

  #auth_param negotiate program /usr/local/squid/bin/ntlm_auth --helper-protocol=gs
  s-spnego

domain=> [domain] auth_param ntlm program /usr/lib/squid3/ntlm_auth -d domain/serv1 domain/serv2

acl Ip_Block_Range url_regex [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\:443
http_access deny Ip_Block_Range

Since FTP uses numeric IPs the Skype ACL must be exact including the port.

# Skype
acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:443
acl Skype_UA browser ^skype^
http_access deny numeric_IPS
http_access deny Skype_UA

...

CategoryLinux