Squid et SquidGuard avec AD impossible de faire fonctionner

Support Debian
#1

Bonjour,

J’ai installé sur une Debian 8.5 squid et squidGuard.
Squid fonctionne bien et l’authentification sur un serveur AD permet de n’autoriser le surf que pour les membres d’un groupe.
squidGuard fonctionne sur le mode filtrage IP mais impossible sur le filtrage groupe AD.
Ci dessous squid.conf et squidGuard.conf si quelqu’un a une petite idée du problème.

Squid.conf

`# OPTIONS FOR AUTHENTICATION

-----------------------------------------------------------------------------

Squid normally listens to port 3128

http_port 3128
icp_port 3130

visible_hostname sv-squid

auth_param doit être placé avant les acl

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm children 5
auth_param ntlm keep_alive on acl password proxy_auth REQUIRED

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm CMPR.COM
auth_param basic credentialsttl 2 hour

Recommended minimum configuration:

#acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8

Example rule allowing access from your local networks.

Adapt to list your (internal) IP networks from where browsing

should be allowed

#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl DHCP src 10.20.0.0/16

Liste des autorisations

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow DHCP
http_access deny all
icp_access deny all
htcp_access deny all

#ne pas mettre en cache les url
hierarchy_stoplist cgi-bin ?

#Fichier Log
access_log /var/log/squid3/access.log

log_mime_hdrs on

coredump_dir /var/spool/squid3
cache_effective_user proxy
cache_effective_group proxy
store_avg_object_size 5 GB
cachemgr_passwd cachemgr all

Recommended minimum Access Permission configuration:

Deny requests to certain unsafe ports

http_access deny !Safe_ports

Deny CONNECT to other than secure SSL ports

http_access deny CONNECT !SSL_ports

Only allow cachemgr access from localhost

http_access allow localhost manager
http_access deny manager

We strongly recommend the following be uncommented to protect innocent

web applications running on the proxy server who think the only

one who can access services on “localhost” is a local user

#http_access deny to_localhost

INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

Example rule allowing access from your local networks.

Adapt localnet in the ACL section to list your (internal) IP networks

from where browsing should be allowed

#http_access allow localnet
http_access allow localhost

And finally deny all other access to this proxy

http_access deny all

Allow ICP queries from local networks only

##icp_access allow localnet
##icp_access deny all
#Default:

Deny, unless rules exist in squid.conf.

Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320

error_directory /usr/share/squid/errors/French

url_rewrite_program /usr/bin/squidGuard -c /etc/squid3/squidGuard.conf
url_rewrite_children 5

`

squidGuard.conf

`logdir /var/log/squid3
dbhome /var/lib/squidguard/db/blacklists

######################################
#Configuration pour authentification LDAP

ldapbinddn cn=proxyad,ou=Administrateurs,ou=Cadre,dc=MONDOMAIN,dc=COM
ldapbindpass motdepasseproxyad

######################################
#Configuration du cache LDAP
ldapcachetime 300

ldapprotover 3
#stripntdomain true
#striprealm true

######################################
#Source addresses

src nositemax {
ldapusersearch ldap://10.20.2.22/ou=internetrules,dc=mondomain,dc=com?uid?sub?(&(objectclass=InetOrgPerson)(uid=%s))

}

#src oksitemax {

ldapusersearch ldap://10.20.2.22:3268/dc=mondomain,dc=com?sAMAccountName?sub?(&(memberof=CN=oksitemax%2cOU=internetrules%2cDC=mondomain%2cDC=com)(sAMAccountName=%s))

#}
src oksitemax {
ldapusersearch ldap://dc1.mondomain.com:3268/dc=domain,dc=com?sAMAccountName?sub?(&(memberof=CN=oksitemax%2cOU=internetrules%2cDC=mondomain%2cDC=com)(sAMAccountName=%s))

}
src admin {
ip 10.20.2.9
}

src vip {
ip 10.20.2.22
}

src tse {
ip 10.20.2.25 10.20.2.26 10.20.2.27
}

src uf {
ip 10.20.3.71
}
src test {
ip 10.20.3.40
}

src users {
ip 10.20.0.0-10.20.255.255
}

#########################################

Destination

#########################################

dest adult
{
domainlist adult/domains
urllist adult/urls
expressionlist adult/expressions
}

destination agressif
{
urllist agressif/urls
domainlist agressif/domains
}

destination audio-video
{
urllist audio-video/urls
domainlist audio-video/domains
}

destination blog
{
urllist blog/urls
domainlist blog/domains
}

destination cleaning
{
urllist cleaning/urls
domainlist cleaning/domains
}

destination dangerous_material
{
urllist dangerous_material/urls
domainlist dangerous_material/domains
}

destination drogue
{
urllist drogue/urls
domainlist drogue/domains
}

destination financial
{
domainlist financial/domains
}

destination forums
{
urllist forums/urls
domainlist forums/domains
}
destination gambling
{
urllist gambling/urls
domainlist gambling/domains
}

destination hacking
{
urllist hacking/urls
domainlist hacking/domains
}

destination mobile-phone
{
urllist mobile-phone/urls
domainlist mobile-phone/domains
}

destination publicite
{
urllist publicite/urls
domainlist publicite/domains
}

destination radio
{
urllist radio/urls
domainlist radio/domains
}

destination redirector
{
urllist redirector/urls
domainlist redirector/domains
}

destination strict_redirector
{
urllist strict_redirector/urls
domainlist strict_redirector/domains
}
destination strong_redirector
{
urllist strong_redirector/urls
domainlist strong_redirector/domains
}

destination tricheur
{
urllist tricheur/urls
domainlist tricheur/domains
}

destination warez {
urllist warez/urls
domainlist warez/domains
}

destination webmail
{
urllist webmail/urls
domainlist webmail/domains
}

destination games
{
urllist games/urls
domainlist games/domains
}

destination mixed_adult
{
urllist mixed_adult/urls
domainlist mixed_adult/domains
}

destination filehosting
{
urllist filehosting/urls
domainlist filehosting/domains
}

destination reaffected
{
urllist reaffected/urls
domainlist reaffected/domains
}

destination sexual_education
{
urllist sexual_education/urls
domainlist sexual_education/domains
}

destination shopping
{
urllist shopping/urls
domainlist shopping/domains
}

destination dating
{
urllist dating/urls
domainlist dating/domains
}

destination marketingware
{
urllist marketingware/urls
domainlist marketingware/domains
}
destination astrology
{
urllist astrology/urls
domainlist astrology/domains
}
destination sect
{
urllist sect/urls
domainlist sect/domains
}

destination celebrity
{
urllist celebrity/urls
domainlist celebrity/domains
}

destination manga
{
urllist manga/urls
domainlist manga/domains
}

destination child
{
urllist child/urls
domainlist child/domains
}

destination malware
{
urllist malware/urls
domainlist malware/domains
}

destination press
{
urllist press/urls
domainlist press/domains
}

destination phishing
{
urllist phishing/urls
domainlist phishing/domains
}

destination remote-control
{
urllist remote-control/urls
domainlist remote-control/domains
}

Spécifique : Si vous avez un squidguard au moins égal à 1.3, on peut réécrire les requêtes google

Attention, les versions récentes de squidguard pourraient ne pas être compatibles

rewrite search_engine
{
s@(..google…/(custom|search|images|groups|news)?.q=.)@\1&safe=strict@i
s@(./yandsearch?.text=.)@\1&fyandex=1@i
s@(..yahoo…/search.p=.)@\1&vm=r@i
s@(..live…/.q=.)@\1&adlt=strict@i
s@(..msn…/.q=.)@\1&adlt=strict@i
s@(..bing…/search.q=.)@\1&adlt=strict@i
}

#dest arjel {

urllist arjel/urls

domainlist arjel/domains

#}

#dest associations_religieuses {

urllist associations_religieuses/urls

domainlist associations_religieuses/domains

#}

acl {
admin {
pass any
}

    oksitemax {
            pass !adult all
            redirect http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u    
      }

    vip {
            pass !adult !drogue !phishing !marketingware !forums any
            redirect http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
    }

    tse {
            pass !adult !drogue !phishing !marketingware !forums any
            redirect http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
    }
    
    test {
        pass any
    }
    
    uf {
            pass !adult !agressif !audio-video !blog !cleaning !dangerous_material !drogue !financial !forums !gambling !hacking !mobile-phone !publicite !radio !redirector !strict_redirector !strong_redirector !tricheur !warez !webmail !games !mixed_adult !filehosting !reaffected !sexual_education !shopping !dating !marketingware !astrology !sect !celebrity !manga !child !malware !press !phishing !remote-control any
            redirect http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
    }        

    users {
            pass !adult !agressif !audio-video !blog !cleaning !dangerous_material !drogue !financial !forums !gambling !hacking !mobile-phone !publicite !radio !redirector !strict_redirector !strong_redirector !tricheur !warez !webmail !games !mixed_adult !filehosting !reaffected !sexual_education !shopping !dating !marketingware !astrology !sect !celebrity !manga !child !malware !press !phishing !remote-control any
            redirect http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
    
    }
    
    nositemax {
            pass !adult !agressif !audio-video !blog !cleaning !dangerous_material !drogue !financial !forums !gambling !hacking !mobile-phone !publicite !radio !redirector !strict_redirector !strong_redirector !tricheur !warez !webmail !games !mixed_adult !filehosting !reaffected !sexual_education !shopping !dating !marketingware !astrology !sect !celebrity !manga !child !malware !press !phishing !remote-control any
            redirect http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
    
    }
    
    default {
            pass      none
            redirect http://127.0.0.1/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u
    }

}

`