[KLUG Members] Web Proxy/Filter/Auth

Adam Tauno Williams members@kalamazoolinux.org
Thu, 9 Oct 2003 10:51:46 -0400 

> > Squid is free.
> > > I've looked at Dan's guardian and am quite impressed with it.
> > However it
> > > doesn't let me configure it on a per user basis also logs are
> > just ip address no user names. 
> Squid with Dans Guardian is the best filtered approach.  If you do
> transparent proxy though you cannot log by name.  If you do not use
> transparent proxy then you can use authentication.  I have not used
> the auto-login feature that Adam mentioned.  

Now included with Samba 3.0, since I think the NTLM module shipped with Squid
won't work anymore (it doesn't for me, just vomits up protocol errors).  Samba
3.0 now produces /usr/bin/ntlm_auth

>From "man ntlm_auth"

ntlm_auth is a helper utility that authenticates users using NT/LM
authentication. It returns 0 if the users is authenticated successfully and 1 if
access was denied. ntlm_auth uses winbind to access the user and authentication
data for a domain. This utility is only to be used by other programs (currently
squid).

> The login issue is not a Dans Guardian issue but a Squid issue. 
> Squid will not log by name in transparent proxy mode.  So you would
> have to setup the proxy information in each client or setup automatic
> proxy (I have not done this yet).  

To auto config proxy settings in IE -  add -

option wpad-url code 252 = text;
option wpad-url "http://wpad.morrison.iserv.net/wpad.dat";

to your DHCP server (assuming ISC DHCPd).  And publish the wpad.dat file
somewhere that clients can get to without any authentication.  The wpad.dat file
is a javascript program for setting the proxy settings, IE will automatically
run this.

Somethign like -

function FindProxyForURL(url, host)
{
  if (url.substring(0, 5) == "http:") {
       return "PROXY kohocton.morrison.iserv.net:3128; DIRECT";
  }
  else if (url.substring(0, 4) == "ftp:") {
       return "PROXY kohocton.morrison.iserv.net:3128; DIRECT";
  }
  else if (url.substring(0, 7) == "gopher:") {
       return "PROXY kohocton.morrison.iserv.net:3128; DIRECT";
  }
  else if (url.substring(0, 6) == "https:" || url.substring(0, 6) == "snews:") {
       return "PROXY kohocton.morrison.iserv.net:3128;  DIRECT";
  }
  else {
        return "DIRECT";
  }
}