Transparent Squid and Dans Guardian with LDAP



  • The set up is pfsense+squid+Dans Guardian, with Squid set to authenticate against AD, and DG to retrieve users/groups from AD.

    I would like to set up this combination so that users do not have to enter proxy settings into their devices.

    From a browser, setting the proxy settings to <ip address="" pfsense="">/8080 works correctly with prompt for credentials and then access lists are correctly applied to the user as per group membership/association.

    I wanted to avoid having users enter proxy settings in to their BYOD, and followed the instructions from ZGruk (http://forum.pfsense.org/index.php?topic=42664.0) and set up a NAT rule to forward port 80 traffic to port 8080.

    The setting for the port forward NAT entry are:

    Interface:  LAN
    Protocol:  TCP
    Source:    LAN Subnet
    Destination:  Any
    Destination Port: HTTP to HTTP
    Redirect IP <ip of="" pfsense="" box="">Redirect Target Port: 8080

    From a browser with no proxy settings, the error  Cache Access Denied results.
    If I disable the rule, there is direct access to the internet.

    Is this a problem as a result of using authenticated squid with LDAP?

    I would be grateful for any suggestions  on how to get this rule working</ip></ip>



  • transparent proxy can't auth.

    you can user proxy automatic configuration scripts for it.

    search for proxy PAC/WPAD.



  • Thanks Marcelloc, but I've not set up the proxy to be transparent as I realise that the transparent property is mutually exclusive with authentication.
    I was hoping that a NAT rule in the firewall would intercept the port 80 traffic and direct this to DG port 8080 - if this could be made to work the
    solution would be excellent.

    I am currently building the firewall/proxy/content filter for a large school environment where we have a wide range of student devices to support - we were
    hoping to avoid having to set up proxy settings on these devices.
    I need authentication with AD both to provide meaningful LightSquid reports, and to enable different access lists for student and teachers.

    Any further thoughts?



  • There is no reason why this should not work if you have moved the admin interface off port 80 and are then redirecting all traffic on that port to the squid proxy port.

    Have you tried configuring a client to attach directly to the proxy port. If you still get the error then your redirect is fine and your proxy setup is at fault.



  • @neil:

    Thanks Marcelloc, but I've not set up the proxy to be transparent as I realise that the transparent property is mutually exclusive with authentication.
    I was hoping that a NAT rule in the firewall would intercept the port 80 traffic and direct this to DG port 8080 - if this could be made to work the
    solution would be excellent.

    I am currently building the firewall/proxy/content filter for a large school environment where we have a wide range of student devices to support - we were
    hoping to avoid having to set up proxy settings on these devices.
    I need authentication with AD both to provide meaningful LightSquid reports, and to enable different access lists for student and teachers.

    Any further thoughts?

    You need the port redirect to make transparent mode work. I'm fairly certain that Marcelloc is correct - i.e. you can't do auth in transparent mode.

    However, per his comment, look at using a PAC/WPAD file. It's basically a way to get the browser to automatically pickup the (non-transparent) proxy settings without having to touch the config on each browser (assuming they are already set to auto-detect proxy settings).



  • dhcp can help on WPAD too.

    Create a nat/port forward to intercept traffic is the same as transparente proxy  ;)



  • Thanks for the replies.  Given that I have to accommodate a wide range of devices such as Android based ones, I'm not sure how using DHCP/PAC would work.
    Anyway, I still think a NAT rule on port 80 should work, so I've spent more time on this.
    In particular:

    1. I changed the Webconfigurator to HTTPS and further assigned port 500 just to make sure it was no where near port 80
    2. I checked "disable webconfiguration redirect rule:
    3. On a desktop I installed Opera, and made sure that in the settings, any proxy was unchecked - then I got some strange results…...
    4. My NAT rule redirects port 80 to port 8080 on the pfsense box

    When using Opera:
    On entry of a URL such as www.google.com, I got prompted for user/password credentials and proved that these had to be valid Squid/AD credentials.
    Then as the site loaded and pulled in additional links, each one prompted for credentials and if I entered these eventually the site fully loaded.
    Having set up three site access lists (one for teachers, students and no-internet) with a user in each, I was able to prove that by authenticating with each user, and attempting to access an associated banned site, I got the correct display from Dans Guardian.

    So, IE returns a flat "cached access denied, you must authenticate to view this page" and Opera prompts for credentials for each page/link being loaded.

    Does this behavious help in any way to resolve this?



  • Please let me know what OS you are running on your client PCs and what version of IE.
    I think you are running into an issue with IE and NTLM/NTLM2 authentication.



  • Further intensive work on this issue.
    First, the OS on the client I am testing on is Windows 7 and I think the behaviour of Opera I reported earlier is a side issue.

    Next, when I configure Squid, I leave the Transparent Proxy checkbox unchecked.  Under Firewall/NAT I've set up the port forward for port 80 to port 8080 as per my earlier post.
    As soon as I change the Authentication Method in Squid from "none" to "ldap" I can no longer access the internet via a browser with no proxy settings.
    This results in "cache access denied" within IE.

    Further if I disable the port forward rule, there is then uncontrolled direct access to the internet !

    The conclusion is that the only way for user authentication (needed for Lightsquid monitoring of user activity, and for group membership), and for group based site access lists is for proxy settings to be defined in the browser.

    In the situation where the use of squid/dans guardian is designed to filter and monitor user activity this limitation seems bizarre, as by default all devices have no proxy settings.  In a school environment, students have only to remove their proxy settings to gain direct internet access!

    At least with the port forward rule, they are forced to enter proxy settings.

    Up to and including Android 4, PAC files are not supported, so users with Android devices have to have proxy settings entered manually.  For junior school pupils this will at least initially be difficult.

    I would be gradeful for any further advice as to how to invoke LDAP authentication  in Squid, use a port forward rule and avoid having to enter manually proxy settings.



  • I'm guessing your redirect is not 100%

    Bind squid to the loopback interface
    under the outbound tab the redirect should be any source your network range, port any , destination any, port 80 redirect ip 127.0.0.1 whatever port you have squid running on.

    As you mentioned students you will need to redirect port 443 as well because if you just open it for https it won't take them long to be bypassing your filtering.

    You also need a rule on your LAN interface to block direct internet traffic after the one that allows the redirect.



  • @Gloom:

    I'm guessing your redirect is not 100%

    Bind squid to the loopback interface
    under the outbound tab the redirect should be any source your network range, port any , destination any, port 80 redirect ip 127.0.0.1 whatever port you have squid running on.

    As you mentioned students you will need to redirect port 443 as well because if you just open it for https it won't take them long to be bypassing your filtering.

    You also need a rule on your LAN interface to block direct internet traffic after the one that allows the redirect.

    Redirecting 443 (SSL) will not work transparently. Using dans for SSL traffic requires an explicit proxy configuration. This is a limitation of how SSL and the overall flow works - not dans.



  • Thanks for the reply - I've been away in the mountains for a few days and had to put this problem to one side.

    When I bind squid to loopback, I immediately lose all contact with the web configurator and the internet. The only way to get things working again is to manually edit squid.conf back to my LAN address, and restart squid.

    What is going on here? Am I missing something?

    In your response you state:

    "under the outbound tab the redirect should be any source your network range, port any , destination any, port 80 redirect ip 127.0.0.1 whatever port you have squid running on"

    Which outbound tab are you referring to ?


Log in to reply