[KLUG Members] Web Proxy/Filter/Auth
Adam Tauno Williams
members@kalamazoolinux.org
Thu, 9 Oct 2003 10:51:46 -0400
> > Squid is free.
> > > I've looked at Dan's guardian and am quite impressed with it.
> > However it
> > > doesn't let me configure it on a per user basis also logs are
> > just ip address no user names.
> Squid with Dans Guardian is the best filtered approach. If you do
> transparent proxy though you cannot log by name. If you do not use
> transparent proxy then you can use authentication. I have not used
> the auto-login feature that Adam mentioned.
Now included with Samba 3.0, since I think the NTLM module shipped with Squid
won't work anymore (it doesn't for me, just vomits up protocol errors). Samba
3.0 now produces /usr/bin/ntlm_auth
>From "man ntlm_auth"
ntlm_auth is a helper utility that authenticates users using NT/LM
authentication. It returns 0 if the users is authenticated successfully and 1 if
access was denied. ntlm_auth uses winbind to access the user and authentication
data for a domain. This utility is only to be used by other programs (currently
squid).
> The login issue is not a Dans Guardian issue but a Squid issue.
> Squid will not log by name in transparent proxy mode. So you would
> have to setup the proxy information in each client or setup automatic
> proxy (I have not done this yet).
To auto config proxy settings in IE - add -
option wpad-url code 252 = text;
option wpad-url "http://wpad.morrison.iserv.net/wpad.dat";
to your DHCP server (assuming ISC DHCPd). And publish the wpad.dat file
somewhere that clients can get to without any authentication. The wpad.dat file
is a javascript program for setting the proxy settings, IE will automatically
run this.
Somethign like -
function FindProxyForURL(url, host)
{
if (url.substring(0, 5) == "http:") {
return "PROXY kohocton.morrison.iserv.net:3128; DIRECT";
}
else if (url.substring(0, 4) == "ftp:") {
return "PROXY kohocton.morrison.iserv.net:3128; DIRECT";
}
else if (url.substring(0, 7) == "gopher:") {
return "PROXY kohocton.morrison.iserv.net:3128; DIRECT";
}
else if (url.substring(0, 6) == "https:" || url.substring(0, 6) == "snews:") {
return "PROXY kohocton.morrison.iserv.net:3128; DIRECT";
}
else {
return "DIRECT";
}
}