Squid+Dansguardian with Active Directory (NTLM) Single Sign On WORKING!!!
-
I am on version 2.1 and am using it fine. I think some of the versions are different now for the extra pkg_add commands but other than that I don't think there were too many differences in what I had to do.
-
Loaded the upgrade because of the openssl scare..
Dans now at 2.12.0.3_2 pkg v.0.1.8
Says no file /usr/pbi/dansguardian-amd64/etc/dansguardian/authplugins/proxy-ntlm.conf
So i loaded one from another box..
now says
auth_plugin_load() returned NULL pointer with config file: /usr/pbi/dansguardian-amd64/etc/dansguardian/authplugins/proxy-ntlm.conf
Any ideas?
THX -
Have 3 boxes running this configuration.. Works great except… after heavy usage from 75 users.. The box goes to a crawl..
We are using
ESXI 5.1
all boxes up to date.
packages
Dansgaurdian
Shellcmd
Squid3
sarg2 of 3 have separate virtual drives for the cache,logs, and sarg... sym linked ..
the 3rd has a 40G drive..
All do the same thing.
during peak hours they get real slow...
Only way seems to work is pair two together on the domain dns..
ie two entries for proxy.here.pvt one x.x.x.x and one y.y.y.yAm going to try 2 real boxes.. but having a hard time trouble shooting the slowness...
Restarting squid seems to help...tried setting
squid cache file system to aufs seems no change
vfs.read_max=32 to vfs.read_max=128 in System -> Advanced -> Sytem Tunables no change??any ideas..
-
Look for squid tweak on freebsd and set it on system tunable.
What max client value are you using on dansguardian?
-
Look for squid tweak on freebsd and set it on system tunable.
What max client value are you using on dansguardian?
Ok this may be it.. But where is the max client value set? In the GUI.. Is this the Min/Max children?
-
Look for squid tweak on freebsd and set it on system tunable.
What max client value are you using on dansguardian?
Ok this may be it.. But where is the max client value set? In the GUI.. Is this the Min/Max children?
Ok I had the client IP's default which should be 0 So I set it to 0 I also set min maxchildren 32/180 the spare to 8/64 and age set to 10000 will see if that helps…
THX for heading me in a better direction.. -
set clients close to 1024. In some cases I use 8k users to get a better performance(it depends on compiling package to support it, so keep client max values under 1024).
IIRC, you can check if processes are near configured limit by using ps ax | grep dansguardian | wc -l
-
General Tab -> Config settings section –> Auth Plugins = Proxy-Ntlm
When I activate this feature, my service goes down :/ I only can work with Auth Plugins = None.
Anyone can help me? I only need to activate this feature, I dont need more because i did all steps and now is working but I dont have AD support :/
-
Loaded the upgrade because of the openssl scare..
Dans now at 2.12.0.3_2 pkg v.0.1.8
Says no file /usr/pbi/dansguardian-amd64/etc/dansguardian/authplugins/proxy-ntlm.conf
So i loaded one from another box..
now says
auth_plugin_load() returned NULL pointer with config file: /usr/pbi/dansguardian-amd64/etc/dansguardian/authplugins/proxy-ntlm.conf
Any ideas?
THXI am having this same problem also. proxy-ntlm.conf was never put into the authplugins on the latest dansguardian from pfsense.
-
Ok…..
1. Install the broken package with the package manager.2. from the command line "pkg_info" you will see dansguardian 2.12.0.3_2 is installed.
3. from the command line "fetch http://files.pfsense.org/packages/amd64/8/All/dansguardian-2.12.0.3-amd64.pbi"
4. from the command line "pbi_add --no-checksig -f dansguardian-2.12.0.3-amd64.pbi"
5. from the command line "pkg_info" you will now see dansguardian-2.12.0.3_1 is installed.
Then go to /tmp and deleted the two dansguardian files..
Go and save the settings pages in Dans..
BUTTT...... Now the web upload is broke... I fix the web upload.
If I fix it like below... It dies again.. because one writes over the other...
https://forum.pfsense.org/index.php?topic=58442.msg409913#msg409913.Any ideas?
-
Hi guys. I successfuly install eveerything. In first moment i decide everything is ok. FW are binded to my wind 2003 domain wbinfo -t/-u/-g show me everything - users, groups etc. etc. But tail -f /var/log/dansguardian/access.log show me only ip not users id. Also my users wont populate on Services > Dansguardian > Users. I see only checkmark there which is unchecked right now. Also i think Dansguard does not watch LDAP group i chose for internet access. I test with a normal user - no metter if the user are in or out of the groupe he have internet.
Any ideas ? -
Okay, and please try this command:
tail -f /var/squid/log/access.log -
Somehow i am able to get authenticated on squid also on dansguard
this is my squid log
1401128431.777 0 192.168.250.70 TCP_DENIED/407 4861 GET http://www.dir.bg/my/comments/count.php? - NONE/- text/html
1401128431.780 20 192.168.250.70 TCP_MISS/200 612 GET http://r5.dir.bg/passimg.php? bilyanastefanova DIRECT/194.145.63.27 image/gif
1401128431.790 14 192.168.250.70 TCP_MISS/200 522 GET http://www.dir.bg/new/dirfp_weather_new.html? bilyanastefanova DIRECT/194.145.63.12 text/html
1401128431.791 15 192.168.250.70 TCP_MISS/200 445 GET http://www.dir.bg/new/dirfp_weather_block.json? bilyanastefanova DIRECT/194.145.63.12 application/json
1401128431.793 16 192.168.250.70 TCP_MISS/200 243 GET http://www.dir.bg/new/usd.txt bilyanastefanova DIRECT/194.145.63.12 text/plain
1401128431.804 27 192.168.250.70 TCP_MISS/200 695 GET http://www.dir.bg/JSAJAX/get_user_info.php? bilyanastefanova DIRECT/194.145.63.12 text/plain
1401128431.836 5 192.168.250.70 TCP_CLIENT_REFRESH_MISS/304 298 GET http://i.dir.bg/dir5/dir-new/html/img/vremeto-small/pda_20.png bilyanastefanova DIRECT/194.145.63.18 -
1401128431.838 126 192.168.250.70 TCP_CLIENT_REFRESH_MISS/200 3656 GET http://ni.dir-i.net/esspresso/images/calendar/cells.png bilyanastefanova DIRECT/194.145.63.18 image/png
1401128431.842 62 192.168.250.70 TCP_MISS/200 676 GET http://www.dir.bg/my/comments/count.php? bilyanastefanova DIRECT/194.145.63.12 text/html
1401128431.966 155 192.168.250.70 TCP_MISS/200 309 GET http://smart.dir.bg/mobile_check.php? bilyanastefanova DIRECT/194.145.63.11 text/htmland this is dansguardian log
1401128431.388 19 192.168.250.70 TCP_MISS/200 0 GET http://r5.dir.bg/js.php?Code=00_section_novini&enc=u bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
1401128431.388 19 192.168.250.70 TCP_MISS/200 0 GET http://r5.dir.bg/js.php?Code=00_section_novini_2&enc=u bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
1401128431.390 23 192.168.250.70 TCP_MISS/200 0 GET http://r5.dir.bg/js.php?Code=00_corner bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
1401128431.718 33 192.168.250.70 TCP_MISS/200 101 GET http://r5.dir.bg/utb.php?rnd=1287221401128435608&ref=http%3A//www.dir.bg/&reff= bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/javascript
1401128431.769 4 192.168.250.70 TCP_DENIED/403 0 GET http://www.google-analytics.com/__utm.gif?utmwv=1.4&utmn=98558728&utmcs=utf-8&utmsr=1920x1080&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=13.0%20r0&utmdt=Dir.bg%20-%20%D0%91%D1%8A%D0%BB%D0%B3%D0%B0%D1%80%D1%81%D0%BA%D0%B8%D1%8F%D1%82%20%D0%98%D0%BD%D1%82%D0%B5%D1%80%D0%BD%D0%B5%D1%82%20%D0%BF%D0%BE%D1%80%D1%82%D0%B0%D0%BB!&utmhn=www.dir.bg&utmhid=1711608986&utmr=-&utmp=/&utmac=UA-436010-11&utmcc=__utma%3D95319433.1662311826.1401125196.1401125196.1401128436.2%3B%2B__utmz%3D95319433.1401125196.1.1.utmccn%3D(direct)%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)%3B%2B bilyanastefanova DEFAULT_PARENT/127.0.0.1 -
1401128431.792 19 192.168.250.70 TCP_MISS/200 501 GET http://www.dir.bg/new/dirfp_weather_new.html?ts=0.17504705565709982 bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
1401128431.794 20 192.168.250.70 TCP_MISS/200 13 GET http://www.dir.bg/new/usd.txt bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/plain
1401128431.806 30 192.168.250.70 TCP_MISS/200 7 GET http://www.dir.bg/JSAJAX/get_user_info.php?enc=utf-8&now=0.004187991262348867&=1401128435698 bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/plain
1401128431.843 66 192.168.250.70 TCP_MISS/200 4 GET http://www.dir.bg/my/comments/count.php?jnl_id=3&ctype_id=1&topic_id=12251378&list=all&ran=0.153130255537684&=1350479627602 bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/html
1401128431.967 157 192.168.250.70 TCP_MISS/200 79 GET http://smart.dir.bg/mobile_check.php?callback=jQuery17105069666413485266_1401128435330&url=http%3A%2F%2Fwww.dir.bg%2F&method=post&_=1401128435737 bilyanastefanova DEFAULT_PARENT/127.0.0.1 text/htmlBut i still can't denie connections for users who is out of my internet groupe. Everyone have an internet right now.
-
I am on version 2.1 and am using it fine. I think some of the versions are different now for the extra pkg_add commands but other than that I don't think there were too many differences in what I had to do.
How did you create the firewall and nat rules of steps 6 and 10? I'm on 2.1.3 and I'm stuck at that. Thanks in advance.
-
10. Services –> Firewall
a. Rules –> LAN tab – Create a filtered proxy rule to allow TCP port 8080 to the LAN address
b. NAT –> Port Forward tab - Create a filtered proxy port forward from LAN on port 8080 to the loopback adapter (127.0.0.1)Ok, sorry for bumping this thread again, but I need help with this part. Could someone post screencaps of how would the NAT and Rules gui screen would look when you set up things on step 10? I tried to do it and I locked myself out of the webgui. I need DG to filter HTTP and HTTPS traffic.
Thanks again to anyone that helps me with that. -
First: I don't mean to steal this thread…but there is an easier way to do much of this. Unless you absolutely must use NTLM.
look at
http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/or google "Squidtrust"
you will find a Perl authentication helper, and a workstation agent that can easily be integrated into a PfSense environment.
originally … I wrote the helper and agent to work on pfSense. I have been using them for over two years on a network w/800+ workstations and 2500+ users.the short version:
Install the perl helper on pfSense, configure it to poll the agent for your desired user credentials.
run the agent on all workstations via login scrpt/GPO
ta-da...transparent user authentication.read the docs for more detail.
-
This is certainly easier to setup and I am impressed with your solution. However this model does not appear to have any protection from easily being spoofed by a rouge user? ie a user could claim to be someone they are not.
First: I don't mean to steal this thread…but there is an easier way to do much of this. Unless you absolutely must use NTLM.
look at
http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/or google "Squidtrust"
you will find a Perl authentication helper, and a workstation agent that can easily be integrated into a PfSense environment.
originally … I wrote the helper and agent to work on pfSense. I have been using them for over two years on a network w/800+ workstations and 2500+ users.the short version:
Install the perl helper on pfSense, configure it to poll the agent for your desired user credentials.
run the agent on all workstations via login scrpt/GPO
ta-da...transparent user authentication.read the docs for more detail.
-
New thread started here:
https://forum.pfsense.org/index.php?topic=78770.0 -
Well, apparently http://e-sac.siteseguro.ws/ is down. Where else can I find the packages?
-
Hi to all
[2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -t
checking the trust secret for domain blablabla via RPC calls succeeded[2.1.4-RELEASE][root@proxysrv.blablabla.com]/root(49): wbinfo -u
show all usersThe problem is when i create the groups on dansguardian, they apear empty on "users" tab
Anyone can help me?
Thanks :)
