SquidGuard + NTLM не блокирует



  • ПРивет, всем!
    Имею 2.3.3-RELEASE (amd64)
    Squid+SquidGuard(http://www.shallalist.de/Downloads/shallalist.tar.gz)_LightSquid+samba(Настраивал по статье https://pf2ad.mundounix.com.br/en/index.html)
    Беда следующего характера, хочу рулить разрешениями в squidguard через AD.
    Как только в Proxy filter SquidGuard: General settingsGeneral settings выставляю галку Enable LDAP Filter со всеми параметрами

    , то ничего не фильтруется, любой пользователь сразу имеет  полный доступ ко всему .
    common ACl deny all

    SquidGuard configuration file

    logdir /var/squidGuard/log
    dbhome /var/db/squidGuard
    ldapbinddn cn=exadm,cn=builtin,dc=company,dc=ru
    ldapbindpass 7777777
    ldapprotover 3
    stripntdomain true
    striprealm true
    
    # pftest
    src pftest {
    }
    
    # 
    dest blk_BL_adv {
    	domainlist blk_BL_adv/domains
    	urllist blk_BL_adv/urls
    }
    #
    #здесь еще куча урлов
    
    # 
    rew safesearch {
    	s@(google..*/search?.*q=.*)@&safe=active@i
    	s@(google..*/images.*q=.*)@&safe=active@i
    	s@(google..*/groups.*q=.*)@&safe=active@i
    	s@(google..*/news.*q=.*)@&safe=active@i
    	s@(yandex..*/yandsearch?.*text=.*)@&fyandex=1@i
    	s@(search.yahoo..*/search.*p=.*)@&vm=r&v=1@i
    	s@(search.live..*/.*q=.*)@&adlt=strict@i
    	s@(search.msn..*/.*q=.*)@&adlt=strict@i
    	s@(.bing..*/.*q=.*)@&adlt=strict@i
    }
    
    # 
    acl  {
    	# 
    	default  {
    		pass !in-addr none
    		redirect http://192.168.211.4:80/sgerror.php?url=403%20&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u
    	}
    }
    

    Proxy config

    # This file is automatically generated by pfSense
    # Do not edit manually !
    
    http_port 192.168.211.4:3128
    icp_port 0
    dns_v4_first off
    pid_filename /var/run/squid/squid.pid
    cache_effective_user squid
    cache_effective_group proxy
    error_default_language ru
    icon_directory /usr/local/etc/squid/icons
    visible_hostname company proxy server
    cache_mgr 01@company.ru
    access_log /var/squid/logs/access.log
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    netdb_filename /var/squid/logs/netdb.state
    pinger_enable on
    pinger_program /usr/local/libexec/squid/pinger
    
    logfile_rotate 30
    debug_options rotate=30
    shutdown_lifetime 3 seconds
    # Allow local network(s) on interface(s)
    acl localnet src  192.168.208.0/22
    forwarded_for on
    uri_whitespace strip
    
    acl dynamic urlpath_regex cgi-bin ?
    cache deny dynamic
    
    cache_mem 64 MB
    maximum_object_size_in_memory 256 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    minimum_object_size 0 KB
    maximum_object_size 4 MB
    
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95
    cache allow all
    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp:    1440  20%  10080
    refresh_pattern ^gopher:  1440  0%  1440
    refresh_pattern -i (/cgi-bin/|?) 0  0%  0
    refresh_pattern .    0  20%  4320
    
    #Remote proxies
    
    # Setup some default acls
    # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
    # acl localhost src 127.0.0.1/32
    acl allsrc src all
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3129 1025-65535 
    acl sslports port 443 563  
    
    # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
    #acl manager proto cache_object
    
    acl purge method PURGE
    acl connect method CONNECT
    
    # Define protocols used for redirects
    acl HTTP proto HTTP
    acl HTTPS proto HTTPS
    http_access allow manager localhost
    
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports
    
    # Always allow localhost connections
    # From 3.2 further configuration cleanups have been done to make things easier and safer.
    # The manager, localhost, and to_localhost ACL definitions are now built-in.
    # http_access allow localhost
    
    request_body_max_size 0 KB
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow allsrc
    
    # Reverse Proxy settings
    
    # Package Integration
    url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf
    url_rewrite_bypass off
    url_rewrite_children 16 startup=8 idle=4 concurrency=0
    
    # Custom options before auth
    
    auth_param negotiate program /usr/local/libexec/squid/negotiate_wrapper_auth --ntlm /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/local/libexec/squid/negotiate_kerberos_auth -s GSS_C_NOME
    auth_param negotiate children 20
    auth_param negotiate keep_alive off
    # Pure NTLM
    auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
    auth_param ntlm children 20
    auth_param ntlm keep_alive off
    auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -b 'dc=company,dc=ru' -D 'exadm@company.ru' -w '7777777' -f sAMAccountName=%s -h v-krr-dc.company.ru
    auth_param basic children 20
    auth_param basic credentialsttl 1 minute
    auth_param basic children 5
    auth_param basic realm Давай блять, жги
    auth_param basic credentialsttl 5 minutes
    acl password proxy_auth REQUIRED
    # Custom options after auth
    
    http_access allow password localnet
    # Default block all to be sure
    http_access deny allsrc
    


  • Доброе.
    Сквид - прозрачный ? ЛДАП фильтр проверяли на корректность ?



  • @werter:

    Доброе.
    Сквид - прозрачный ? ЛДАП фильтр проверяли на корректность ?

    сквид не прозрачный, подскажите пожалуйста как проверить на корректность лдап фильтр?