Always need to edit squid.inc to make things work with Active Dir and ACL Subnet
-
I seem to always need to add "-R" to the squid.inc file for Active Dir auth to work.
I also always need to edit the noauth section to get the ACL NoAuth subnets to workTo make AD work:
$conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -R -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f "{$settings['ldap_filter']}" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n";To make the ACL no auth subnets work:
if (!empty($noauth)) {
$noauth=str_replace("^M", "", $noauth); ←–-- (ADD THIS WHOLE LINE)
$conf .= "acl noauth src $noauth\n";Another pain and probably more of a feature request is the delay pools. Default configs always have 1 delay pool configured, it would be nice if this was somehow optional. Right now I comment out all delay pools in the squid.inc and define new ones in the custom boxes
1519 # delay_pools 1
1520 # delay_class 1 2
1521 # delay_parameters 1 $overall/$overall $perhost/$perhost
1522 # delay_initial_bucket_level 100
1530 # $conf .= "delay_access 1 deny $item\n";
1557 # $conf .= "delay_access 1 allow throttle_exts\n";
1558 # $conf .= "delay_access 1 deny allsrc\n";
1561 # $conf .= "delay_access 1 allow allsrc\n";Add in the custom boxes (example):
acl slowsites url_regex -i "/root/squid_acl/slowsites.acl"
acl school_hours time MTWHF 08:00-15:30delay_pools 1
delay_class 1 1
delay_parameters 1 8000/8000
delay_access 1 allow slowsites school_hours
delay_access 1 deny all
delay_initial_bucket_level 100Not a big deal but kinda a pain when I build a new system or upgrade versions.
TIA..
PS..REALLY LIKE the new option of toggling squid to be on/off…finally!
-
Please, post a diff so that people can use it. Describing patches really sucks.
diff -u /usr/local/pkg/squid.inc.old /usr/local/pkg/squid.inc.old -
$noauth=str_replace("^M", "", $noauth); ←–-- (ADD THIS WHOLE LINE)
Can you test this instead?
$noauth = implode(' ', explode("\n", sq_text_area_decode($settings['no_auth_hosts'])));And: https://redmine.pfsense.org/issues/5306 - dunno really why people should be dealing with such nonsense in every package that happens to use textarea. >:(
Regarding that -R option: Uhm… certainly not sure that's a good default for everyone. Why's your DC returning the referral to another server in the first place, instead of providing the info?
-
Please, post a diff so that people can use it. Describing patches really sucks.
diff -u /usr/local/pkg/squid.inc.old /usr/local/pkg/squid.inc.oldNot sure which one you wanted first, you have the .old in both
diff -u /usr/local/pkg/squid.inc.orig /usr/local/pkg/squid.inc --- /usr/local/pkg/squid.inc.orig 2015-10-14 06:42:25.000000000 -0700 +++ /usr/local/pkg/squid.inc 2015-10-13 00:14:46.000000000 -0700 @@ -1576,10 +1576,10 @@ $perhost *= 1024; } $conf .= <<< EOD -delay_pools 1 -delay_class 1 2 -delay_parameters 1 $overall/$overall $perhost/$perhost -delay_initial_bucket_level 100 +#delay_pools 1 +#delay_class 1 2 +#delay_parameters 1 $overall/$overall $perhost/$perhost +#delay_initial_bucket_level 100 EOD; @@ -1587,7 +1587,7 @@ foreach (array('unrestricted_hosts') as $item) { if (in_array($item, $valid_acls)) { $conf .= "# Do not throttle unrestricted hosts\n"; - $conf .= "delay_access 1 deny $item\n"; +# $conf .= "delay_access 1 deny $item\n"; } } } @@ -1617,10 +1617,10 @@ $conf .= "# Throttle extensions matched in the url\n"; $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; - $conf .= "delay_access 1 allow throttle_exts\n"; - $conf .= "delay_access 1 deny allsrc\n"; +# $conf .= "delay_access 1 allow throttle_exts\n"; +# $conf .= "delay_access 1 deny allsrc\n"; } else { - $conf .= "delay_access 1 allow allsrc\n"; +# $conf .= "delay_access 1 allow allsrc\n"; } return $conf; @@ -1768,6 +1768,7 @@ } else { $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); if (!empty($noauth)) { ", "", $noauth); $noauth=str_replace(" $conf .= "acl noauth src $noauth\n"; $valid_acls[] = 'noauth'; } @@ -1783,7 +1784,7 @@ case 'ldap': $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); - $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; + $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -R -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; break; case 'radius': $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');–
-
Can you test this instead?
$noauth = implode(' ', explode("\n", sq_text_area_decode($settings['no_auth_hosts'])));And: https://redmine.pfsense.org/issues/5306 - dunno really why people should be dealing with such nonsense in every package that happens to use textarea. >:(
With the orig code I get this
/usr/pbi/squid-amd64/bin/squid -k parse Processing: acl noauth src 10.1.0.0/22I think that will work, with your suggested change I get this which is correct
/usr/pbi/squid-amd64/bin/squid -k parse Processing: acl noauth src 10.1.0.0/22 10.1.4.0/24 10.1.20.0/22 10.1.24.0/21 10.1.32.0/22 10.1.52.0/22 10.1.64.0/22 10.1.84.0/22 10.1.96.0/22 10.1.116.0/22 10.1.128.0/22 10.1.148.0/22 10.2.20.0/22 10.2.24.0/21 10.2.52.0/22 10.3.20.0/22 10.3.24.0/21 10.3.52.0/22I don't understand your redmine url comment, is that a bug you are submitting?
-
Regarding that -R option: Uhm… certainly not sure that's a good default for everyone. Why's your DC returning the referral to another server in the first place, instead of providing the info?
I am not sure exactly what the -R option does but we have probably 10 DC's across 3 campuses and we have to make this change for any of them to authenticate. When researching why auth was not working that was a "fix" I found in many threads and it solves the problem for us. Perhaps it could be a checkbox or something.
Can you describe what it does? You seem to think we should not need to add this.
-
Can you describe what it does? You seem to think we should not need to add this.
http://www.squid-cache.org/Versions/v3/3.1/manuals/squid_ldap_auth.html
-R do not follow referrals
Read this: LDAP Referrals, mainly:
An LDAP referral is a domain controller's way of indicating to a client application that it does not have a copy of a requested object (or, more precisely, that it does not hold the section of the directory tree where that object would be, if in fact it exists) and giving the client a location that is more likely to hold the object, which the client uses as the basis for a DNS search for a domain controller.
Either you are querying wrong DCs or there's something wrong with your setup really.