Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid + SquidGuard + AD

    Scheduled Pinned Locked Moved pfSense Packages
    12 Posts 5 Posters 12.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hans2k6
      last edited by

      Hi all,

      after one week of configuration and googling and reading n tutorials I decided to annoy you :P.

      What do I want?
      A proxy with different access groups managed by Active Directory.

      Where is my problem?
      As long as I'm letting LDAP off in SquidGuard it's working fine.
      My groups are filtered by ip (just for testing to see if squidGuard is working).

      I also tested squid alone - to check AD. And it's working.
      When the user is the AD group he get's unrestricted access. When not, he doesn't get any access.

      The problem occurred after turning on AD in squid guard. After that any user (after authentication against squid) gets full access and it seems like squid guard is ignoring all ACLs. Even the common default one.

      Even when I setup everything to deny anything it is completely open.

      can you maybe help me?

      my ldap search string in squid guard for group acl is:

      ldapusersearch ldap://192.168.0.1:389/DC=mydomain,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=mydomain%2cDC=local))

      on general tab it's:
      cn=administrator,cn=Users,dc=mydomain,dc=local
      Strip Kerberos Realm - enabled
      Strip NT domain - enabled

      Common ACL is:
      whitelist !all

      Now I have squid 2 and squid guard throw the packages menu installed.

      I also reinstalled pfsense and tried the virtual alliance as well as squid3.

      Maybe you can help me.

      Many thanks + sorry for my englisch

      1 Reply Last reply Reply Quote 0
      • N
        nislink
        last edited by

        Sorry you are ahead of me at this point so I won't be of much help right now. I'm still in the testing phases of squid2, and haven't tried LDAP yet. I am wondering though, have you tested white-listing via the Access Control tab? I have a customer that wants to block everything, which is easy enough by setting everything to deny. I know, however, that they will eventually start wanting to allow a few sites here and there for work related purposes. Then, they will want LDAP setup so they can whitelist sites for managers and executives only (IP based won't work as they are on a TERM server). I am trying to stay ahead of the game so when I implement this I know everything will work as expected, however I can't get my test sites to load after they have been blocked by category (only the favicon comes through after white-listing). The categories and websites I tried were [Finance Insurance: esurance.com] and [webmail: hotmail.com]. Just interested in knowing if it's a setup issue, or a problem with Squid.

        Second question, how did your Squid 3 testing go? I downloaded the newest versions and the services did not want to start. Didn't spend too much time on this though as I didn't really want to implement a beta package into production anyway.

        As for your question I will be testing the LDAP setup in my lab this week, so at the very least I will be able to tell if I get the same results as you. I opened up a thread a week or two ago for my questions, but no replies yet :-( .  Good luck on getting this worked out! I will be posting back my LDAP results at some point this week.

        1 Reply Last reply Reply Quote 0
        • L
          lgcosta
          last edited by

          Try use de Catalog Global port from AD:

          Referrall: http://www.squidguard.org/Doc/ldap-ad-tips.html

          Luiz Gustavo - Suporte pfSense no Brasil
          mundounix.com.br

          1 Reply Last reply Reply Quote 0
          • H
            hans2k6
            last edited by

            Hi,,
            thx for your answer.

            AD is not working. But anyway.

            @nislink: you have to use squidguard for whitelisting. It is working fine.

            1 Reply Last reply Reply Quote 0
            • L
              lgcosta
              last edited by

              First of all, I want to report that I found a bug in the squidguard
              binary, which generates error in queries.

              To do this, update the package failover by typing in console pfsense
              or Diagnostics> command prompt, these two commands in sequence:

              
              pkg_delete squidGuard-1.4_4
              pkg_add -r http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz
              
              

              Pay attention only to architecture cpu you use and select the package
              corrected as the architecture:

              
              http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz
              http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-i386/All/squidGuard-1.4_4.tbz
              
              

              Thus, the queries will not have more problems.

              Luiz Gustavo - Suporte pfSense no Brasil
              mundounix.com.br

              1 Reply Last reply Reply Quote 0
              • H
                hans2k6
                last edited by

                Hi man!

                Thx! I will test it!

                rgds

                1 Reply Last reply Reply Quote 0
                • M
                  michlsuser
                  last edited by

                  @hans2k6:

                  Hi all,

                  after one week of configuration and googling and reading n tutorials I decided to annoy you :P.

                  What do I want?
                  A proxy with different access groups managed by Active Directory.

                  Where is my problem?
                  As long as I'm letting LDAP off in SquidGuard it's working fine.
                  My groups are filtered by ip (just for testing to see if squidGuard is working).

                  I also tested squid alone - to check AD. And it's working.
                  When the user is the AD group he get's unrestricted access. When not, he doesn't get any access.

                  The problem occurred after turning on AD in squid guard. After that any user (after authentication against squid) gets full access and it seems like squid guard is ignoring all ACLs. Even the common default one.

                  Even when I setup everything to deny anything it is completely open.

                  can you maybe help me?

                  my ldap search string in squid guard for group acl is:

                  ldapusersearch ldap://192.168.0.1:389/DC=mydomain,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=mydomain%2cDC=local))

                  on general tab it's:
                  cn=administrator,cn=Users,dc=mydomain,dc=local
                  Strip Kerberos Realm - enabled
                  Strip NT domain - enabled

                  Common ACL is:
                  whitelist !all

                  Now I have squid 2 and squid guard throw the packages menu installed.

                  I also reinstalled pfsense and tried the virtual alliance as well as squid3.

                  Maybe you can help me.

                  Many thanks + sorry for my englisch

                  Having the same problem. Is there already a working solution?

                  1 Reply Last reply Reply Quote 0
                  • M
                    michlsuser
                    last edited by

                    @michlsuser:

                    @hans2k6:

                    Hi all,

                    after one week of configuration and googling and reading n tutorials I decided to annoy you :P.

                    What do I want?
                    A proxy with different access groups managed by Active Directory.

                    Where is my problem?
                    As long as I'm letting LDAP off in SquidGuard it's working fine.
                    My groups are filtered by ip (just for testing to see if squidGuard is working).

                    I also tested squid alone - to check AD. And it's working.
                    When the user is the AD group he get's unrestricted access. When not, he doesn't get any access.

                    The problem occurred after turning on AD in squid guard. After that any user (after authentication against squid) gets full access and it seems like squid guard is ignoring all ACLs. Even the common default one.

                    Even when I setup everything to deny anything it is completely open.

                    can you maybe help me?

                    my ldap search string in squid guard for group acl is:

                    ldapusersearch ldap://192.168.0.1:389/DC=mydomain,DC=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=mydomain%2cDC=local))

                    on general tab it's:
                    cn=administrator,cn=Users,dc=mydomain,dc=local
                    Strip Kerberos Realm - enabled
                    Strip NT domain - enabled

                    Common ACL is:
                    whitelist !all

                    Now I have squid 2 and squid guard throw the packages menu installed.

                    I also reinstalled pfsense and tried the virtual alliance as well as squid3.

                    Maybe you can help me.

                    Many thanks + sorry for my englisch

                    Having the same problem. Is there already a working solution?

                    Sorry, my fault, now it works. thank you

                    1 Reply Last reply Reply Quote 0
                    • M
                      michlsuser
                      last edited by

                      @Luiz:

                      First of all, I want to report that I found a bug in the squidguard
                      binary, which generates error in queries.

                      To do this, update the package failover by typing in console pfsense
                      or Diagnostics> command prompt, these two commands in sequence:

                      
                      pkg_delete squidGuard-1.4_4
                      pkg_add -r http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz
                      
                      

                      Pay attention only to architecture cpu you use and select the package
                      corrected as the architecture:

                      
                      http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz
                      http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-i386/All/squidGuard-1.4_4.tbz
                      
                      

                      Thus, the queries will not have more problems.

                      I just tried to use your updated package. Unfortunatelly I was told, that there are some files missing on the server… (pkg_add -r http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz)

                      Could you upload the missing files?

                      1 Reply Last reply Reply Quote 0
                      • A
                        akha666
                        last edited by

                        plz help
                        after executing command```
                        pkg_add -r http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz

                        
                        I got```
                        pkg_add: Command not found.
                        

                        try with
                        pkg add  http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz
                        Fetching squidGuard-1.4_4.tbz: 100%  47 KiB  47.9kB/s    00:01   
                        pkg: /tmp/squidGuard-1.4_4.tbz.XXXXX is not a valid package: no manifest found

                        I download this package and copy pfsense , enter shell command and run

                        pkg add squidGuard-1.4_4.tbz
                        pkg: squidGuard-1.4_4.tbz is not a valid package: no manifest found

                        I'm on pfs 2.2, can you help me ???
                        I spend 3 weeks looking for best workaround to get squidGaurd apply filter with AD Groups

                        1 Reply Last reply Reply Quote 0
                        • A
                          akha666
                          last edited by

                          I give another try with pfs 2.0.3 , the pkg_add -r working but got another issue

                          [2.0.3-RELEASE][root@pfSense.localdomain]/usr/local/bin(24): pkg_add -r http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz
                          Fetching http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/squidGuard-1.4_4.tbz... Done.
                          Error: Unable to get http://www.mundounix.com.br/~gugabsd/pfsense/ports-8.1/packages-amd64/All/db41-4.1.25_4.tbz: Not Found
                          pkg_add: can't open dependency file '/var/db/pkg/db41-4.1.25_4/+REQUIRED_BY'!
                          dependency registration is incomplete
                          
                          ===================================================================
                          = In order to activate squidGuard you have to edit squid.conf
                          = To the contain "url_rewrite_program /usr/local/bin/squidGuard"
                          = and create a configuration file for squidGuard.
                          =
                          = On disinstallation if you want to completely remove the blacklists
                          = you will have to manually remove what remains in /var/db/squidGuard.
                          =
                          = To activate the changes do a /usr/local/sbin/squid -k reconfigure
                          ===================================================================
                          
                          
                          1 Reply Last reply Reply Quote 0
                          • A
                            akha666
                            last edited by

                            @Luiz Gustavo , there is now other repositories working ???????

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.