Always need to edit squid.inc to make things work with Active Dir and ACL Subnet



  • I seem to always need to add "-R" to the squid.inc file for Active Dir auth to work.
    I also always need to edit the noauth section to get the ACL NoAuth subnets to work

    To make AD work:
    $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -R -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f "{$settings['ldap_filter']}" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n";

    To make the ACL no auth subnets work:
    if (!empty($noauth)) {
          $noauth=str_replace("^M", "", $noauth); ←–--  (ADD THIS WHOLE LINE)
          $conf .= "acl noauth src $noauth\n";

    Another pain and probably more of a feature request is the delay pools. Default configs always have 1 delay pool configured, it would be nice if this was somehow optional. Right now I comment out all delay pools in the squid.inc and define new ones in the custom boxes

    1519 #            delay_pools 1
    1520 #            delay_class 1 2
    1521 #            delay_parameters 1 $overall/$overall $perhost/$perhost
    1522 #            delay_initial_bucket_level 100
    1530 #            $conf .= "delay_access 1 deny $item\n";
    1557 #            $conf .= "delay_access 1 allow throttle_exts\n";
    1558 #            $conf .= "delay_access 1 deny allsrc\n";
    1561 #            $conf .= "delay_access 1 allow allsrc\n";

    Add in the custom boxes (example):

    acl slowsites url_regex -i "/root/squid_acl/slowsites.acl"
    acl school_hours time MTWHF 08:00-15:30

    delay_pools 1
    delay_class 1 1
    delay_parameters 1 8000/8000
    delay_access 1 allow slowsites school_hours
    delay_access 1 deny all
    delay_initial_bucket_level 100

    Not a big deal but kinda a pain when I build a new system or upgrade versions.

    TIA..

    PS..REALLY LIKE the new option of toggling squid to be on/off…finally!


  • Banned

    Please, post a diff so that people can use it. Describing patches really sucks.

    
    diff -u /usr/local/pkg/squid.inc.old /usr/local/pkg/squid.inc.old
    
    

  • Banned

    @dsefcik:

    $noauth=str_replace("^M", "", $noauth); ←–--  (ADD THIS WHOLE LINE)

    Can you test this instead?

    
    $noauth = implode(' ', explode("\n", sq_text_area_decode($settings['no_auth_hosts'])));
    
    

    And: https://redmine.pfsense.org/issues/5306 - dunno really why people should be dealing with such nonsense in every package that happens to use textarea.  >:(

    Regarding that -R option: Uhm… certainly not sure that's a good default for everyone. Why's your DC returning the referral to another server in the first place, instead of providing the info?



  • @doktornotor:

    Please, post a diff so that people can use it. Describing patches really sucks.

    
    diff -u /usr/local/pkg/squid.inc.old /usr/local/pkg/squid.inc.old
    
    

    Not sure which one you wanted first, you have the .old in both

    diff -u /usr/local/pkg/squid.inc.orig /usr/local/pkg/squid.inc
    --- /usr/local/pkg/squid.inc.orig	2015-10-14 06:42:25.000000000 -0700
    +++ /usr/local/pkg/squid.inc	2015-10-13 00:14:46.000000000 -0700
    @@ -1576,10 +1576,10 @@
     		$perhost *= 1024;
     	}
     	$conf .= <<< EOD
    -delay_pools 1
    -delay_class 1 2
    -delay_parameters 1 $overall/$overall $perhost/$perhost
    -delay_initial_bucket_level 100
    +#delay_pools 1
    +#delay_class 1 2
    +#delay_parameters 1 $overall/$overall $perhost/$perhost
    +#delay_initial_bucket_level 100
    
     EOD;
    
    @@ -1587,7 +1587,7 @@
     		foreach (array('unrestricted_hosts') as $item) {
     			if (in_array($item, $valid_acls)) {
     				$conf .= "# Do not throttle unrestricted hosts\n";
    -				$conf .= "delay_access 1 deny $item\n";
    +#				$conf .= "delay_access 1 deny $item\n";
     			}
     		}
     	}
    @@ -1617,10 +1617,10 @@
    
     		$conf .= "# Throttle extensions matched in the url\n";
     		$conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n";
    -		$conf .= "delay_access 1 allow throttle_exts\n";
    -		$conf .= "delay_access 1 deny allsrc\n";
    +#		$conf .= "delay_access 1 allow throttle_exts\n";
    +#		$conf .= "delay_access 1 deny allsrc\n";
     	} else {
    -		$conf .= "delay_access 1 allow allsrc\n";
    +#		$conf .= "delay_access 1 allow allsrc\n";
     	}
    
     	return $conf;
    @@ -1768,6 +1768,7 @@
     	} else {
     		$noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts'])));
     		if (!empty($noauth)) {
    ", "", $noauth);         $noauth=str_replace("
     			$conf .= "acl noauth src $noauth\n";
     			$valid_acls[] = 'noauth';
     		}
    @@ -1783,7 +1784,7 @@
     			case 'ldap':
     				$port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : '');
     				$password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : '');
    -				$conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n";
    +				$conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -R -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n";
     				break;
     			case 'radius':
     				$port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');
    



  • @doktornotor:

    Can you test this instead?

    
    $noauth = implode(' ', explode("\n", sq_text_area_decode($settings['no_auth_hosts'])));
    
    

    And: https://redmine.pfsense.org/issues/5306 - dunno really why people should be dealing with such nonsense in every package that happens to use textarea.  >:(

    With the orig code I get this

    /usr/pbi/squid-amd64/bin/squid -k parse
    
    Processing: acl noauth src 10.1.0.0/22
    

    I think that will work, with your suggested change I get this which is correct

    /usr/pbi/squid-amd64/bin/squid -k parse
    
    Processing: acl noauth src 10.1.0.0/22 10.1.4.0/24 10.1.20.0/22 10.1.24.0/21 10.1.32.0/22 10.1.52.0/22 10.1.64.0/22 10.1.84.0/22 10.1.96.0/22 10.1.116.0/22 10.1.128.0/22 10.1.148.0/22 10.2.20.0/22 10.2.24.0/21 10.2.52.0/22 10.3.20.0/22 10.3.24.0/21 10.3.52.0/22
    
    

    I don't understand your redmine url comment, is that a bug you are submitting?



  • @doktornotor:

    Regarding that -R option: Uhm… certainly not sure that's a good default for everyone. Why's your DC returning the referral to another server in the first place, instead of providing the info?

    I am not sure exactly what the -R option does but we have probably 10 DC's across 3 campuses and we have to make this change for any of them to authenticate. When researching why auth was not working that was a "fix" I found in many threads and it solves the problem for us. Perhaps it could be a checkbox or something.

    Can you describe what it does? You seem to think we should not need to add this.


  • Banned

    @dsefcik:

    Can you describe what it does? You seem to think we should not need to add this.

    http://www.squid-cache.org/Versions/v3/3.1/manuals/squid_ldap_auth.html

    -R        do not follow referrals

    Read this: LDAP Referrals, mainly:

    An LDAP referral is a domain controller's way of indicating to a client application that it does not have a copy of a requested object (or, more precisely, that it does not hold the section of the directory tree where that object would be, if in fact it exists) and giving the client a location that is more likely to hold the object, which the client uses as the basis for a DNS search for a domain controller.

    Either you are querying wrong DCs or there's something wrong with your setup really.


Log in to reply