[Gutl-l] Re: Autentificacion Kerberos y Squid

Monday, 10 August 2020

Arian la configuracion de mi squid es la siguiente

http_port 3128

icp_port 0

#hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
#no_cache deny QUERY
cache deny QUERY
cache_mem 640 MB

maximum_object_size 4096 KB

minimum_object_size 0 KB

maximum_object_size_in_memory 2048 KB

cache_dir ufs /var/spool/squid 2048 16 256

access_log /var/log/squid/access.log common

cache_log /var/log/squid/cache.log

cache_store_log none

log_mime_hdrs on
pid_filename /var/run/squid.pid

dns_nameservers 192.168.17.3

diskd_program none

#auth_param ntlm program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp
#auth_param ntlm children 50
#auth_param ntlm keep_alive off

#external_acl_type ad_group %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -r 
-d -s HTTP/cmgproxy.cmg.escambray.com.cu(a)CMG.ESCAMBRAY.COM.CU -k 
/etc/HTTP.keytab
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive off

external_acl_type acl_nav_nac ttl=300 negative_ttl=60 %LOGIN 
/usr/lib64/squid/ext_kerberos_ldap_group_acl -a -g Intranet -D 
CMG.ESCAMBRAY.COM.CU
external_acl_type acl_nav_inter ttl=300 negative_ttl=60 %LOGIN 
/usr/lib64/squid/ext_kerberos_ldap_group_acl -a -g Intranet -D 
CMG.ESCAMBRAY.COM.CU

acl nav_nac external acl_nav_nac
acl nav_inter external acl_nav_inter

#acl DptoProceso external ad_group Proceso
#acl DptoComercial external ad_group Comercial
#acl DptoEconomia external ad_group Economia
#acl DptoDireccion external ad_group Direccion
#acl UserFTP external ad_group FTP

#acl auth_sitios dstdomain .escambray.com.cu
#acl auth_sitios_ip src 10.1.2.2 10.1.2.5

#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 60 seconds
#authenticate_ip_ttl 20 seconds

request_header_max_size 5 KB

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?)       0      0%       0
refresh_pattern .               0       20%     4320
#Recommended minimum configuration:
#acl all src ALL
acl manager proto cache_object
#acl localhost src 127.0.0.1
#acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl auth_ports port 21 1025-65535

acl CONNECT method CONNECT
# ------ Las mias ---------

#acl mired src 192.168.17.0/24

#cl adminred proxy_auth victormanuel

acl kerb-auth proxy_auth REQUIRED

#Negando acceso por exceso en cuota
#http_access deny  autenticacion blocked_user

# NUESTRAS REGLAS DE FILTRADO

#http_access allow localhost

cache_peer proxy.escambray.com.cu parent 3128 0 no-query 
login=infcmg:*infocmg-98

acl local_escambray dstdomain .escambray.com.cu
#acl local_escambray_ip src 10.1.2.0/24 192.168.17.0/24
always_direct allow local_escambray
#always_direct allow local_escambray_ip
never_direct allow all

#http_access deny MiRed !autenticacion !internet

#http_access allow CONNECT  auth_sitios auth_ports

http_access allow kerb-auth
http_access allow nav_nac
http_access allow nav_inter

# password DptoProceso
#http_access allow localnet password DptoComercial
#http_access allow localnet password DptoEconomia
#http_access allow localnet password DptoDireccion
#http_access allow localnet password UserFTP

http_access allow manager #localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access deny all

#Reglas de Ancho de Banda
delay_pools 2

delay_class 1 2
delay_class 2 2
#delay_class 3 2
#delay_class 4 2
#delay_class 5 2
#delay_class 6 2
#delay_class 7 2

delay_access 1 allow nav_nac
delay_access 2 allow nav_inter
#delay_access 3 allow DptoEconomia
#delay_access 4 allow DptoDireccion
#delay_access 5 allow Dir_Proc
#delay_access 6 allow ServGen
#delay_access 7 allow Informaticos

#Pool Generico Diurno
delay_parameters 1 900000/5242880 524288/4194304
delay_parameters 2 900000/5242880 524288/4194304
#delay_parameters 3 900000/5242880 524288/4194304
#delay_parameters 4 900000/5242880 524288/4194304
#delay_parameters 5 900000/5242880 524288/4194304
#delay_parameters 6 900000/5242880 524288/4194304
#delay_parameters 7 900000/5242880 524288/4194304
#Fin de Reglas de Control de Ancho de Banda

http_reply_access allow all

icp_access allow all

visible_hostname proxy_camaguey

error_directory /usr/share/squid/errors/es

snmp_port 0

snmp_access deny all

El 8/8/2020 a las 03:04:24 a.m., Arian Molina Aguilera escribió:
...
 En 7 de agosto de 2020 11:32:41 a. m. Omar Hierrezuelo Montenegro 
 <omar(a)cmg.escambray.com.cu&gt; escribió:

> Hola a todos, he configurado mi squid utilizando autentificacion
> kerberos contra un active directorio windows server 2012, y despues de
> configurar la reglas en el squid cuando trato de navegar me dice esto
>
> 192.168.17.13 - omar(a)CMG.ESCAMBRAY.COM.CU [07/Aug/2020:11:28:55 -0400]
> "CONNECT www.gstatic.com:443 HTTP/1.1" 403 6601 TCP_DENIED:HIER_NONE
> [Proxy-Connection: keep-alive\r\nUser-Agent: Mozilla/5.0 (Windows NT
> 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/73.0.3683.75 Safari/537.36\r\nProxy-Authorization: Negotiate
>
YIIHPgYGKwYBBQUCoIIHMjCCBy6gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBvgEggb0YIIG8AYJKoZIhvcSAQICAQBuggbfMIIG26ADAgEFoQMCAQ6iBwMFACAAAACjggToYYIE5DCCBOCgAwIBBaEWGxRDTUcuRVNDQU1CUkFZLkNPTS5DVaIwMC6gAwIBAqEnMCUbBEhUVFAbHWNtZ3Byb3h5LmNtZy5lc2NhbWJyYXkuY29tLmN1o4IEjTCCBImgAwIBEqEDAgEBooIEewSCBHd0173FKgZDvJP6q1HXy0pOQWlECd9du1wSF/xb6A5WHHAyq59rg6j+UmPF8DCDDLn5g+6vkxgTQ7WUH2R/+aUoSJywrpJf+HjecwEgp4aSiw6srjGpAEXYJYkL8ma0U45u3K/5y2IqLRv3q4oHauqQr4loKSyew0XGrhdintLw+huklsqpFzdAdVQvnF09sDwxxwbihhEd7xekUX1fpjYg/LwiDS/RAEFa6vbkjnOK60fpXZgLsTslu/N/yRLol8ysh9QZmOai1l37SSfVqOLa2Pk81pdiZCHAHIc0o/aE75NZrTpE3LR3Zt80+IRX7YuEc/UEO0qSc/RIb+97BhXIUOnDdeueFaUWSGHT6JlajHHWpC/2rHZlX/DSJsckv5y03N+MLrX7oH7sYSEY+nB3Cxy2NprRgUxCZpK3UTO4ubVGkOrYuAZmRaPDMJ0yOEBBTuDuOuhX7PKUb6O2im/osZo3imIcL1KxgRmQ9ZFrr28y+OOZQ/HC+sFn1rirJxxEAgz08eXXic3wteOPiIwROpaGIlvaKhUmKULK4Yo3aJu088/BgkrWJbkFnGKUWizhb42c/sVvv17EWCUDYpDwfzuVoNIZaqrvL8UwNDHbpGhRxqheF5f9EPlDRpROxXb/gcO+mK0QR95S+TUEWeqG3Yyu7my57SL3NvDG

>
 IL
>
 T+Uf75SqxO4vO+j/oKoRqW0HfTQjUNkkocZNfNgNHXZ+4io9OmQ4PH3tDbbCeEot7cK/ExXOPzeI4MXNhW+cOXy8uOnvsa20eY3GPbYQ2P+UIX8htsqTqKC+g6ztvS0poIpVTJTIgWoqTOe2irenHMQOnpPR9EEANIt+/yjShO38Kt295Ze/vRCSP3lTMbtFWFSCs4lea6Xl60+gBHwHf1gHrV/ZQ8igRk8w59M9NQEHlKvQLg7P3Q0rGfELbjUewaOVthybhVlwCKGPvxFdDXI9b6LscbVwYFZ12eJ900/ixetjjrBrtbfDTCrejOuSTLZ3W41VgU1t2F0XOShrhuSYLsbTAMiKU/6o45G706Ag1/jPVzF/mINCyqVWieHVPVDMDxcO1B7R+FtrvapWhZKT+ywuRS540DzX4GhyTzY/5ucihhH86VmD9qZpZBGLn75uJ9GZ8nRewcKGZBOhrnVcR+SrsQNqAUtz9o33QJ0si5tYTjU3+ZpayZPRZqGWDegnQRlG7XlkgEfZ/0qbu6Kwi3KZyxAnhch8PDeZpvDReJ28G5NEo6Qvyfh/MctcsVE1aisxXGfRZ+ag+f54KtiGtWx4/xBFufC35KOozkWcGCvEkk2rveXNuY4Gkr5V7gFMRcedkqXZ616ohPArJQ+uryvdBUMK5My6uCJU2ikR+mCTqIxrrUfX6QBUGwDYIsMVw/NemyL0xTfgs70uDEcckyLmn2ikQjVEBuxsfRDd65ZcvX7zladbip/DYEw3zCj46qw49Eg/9Fl2iivqrt2niti7bOdjDf5cHkPl0DBLOt8mAdUpuhF11xiWvM864Qb6WF2L78QbmkggHYMIIB1KADAgESooIBywSCAccpk0HsDEd3PIv8mttigJMFn4LXYYhHTysdYG4POw2q5Zifa0u6j2Oxg5RfOM81riWDnDfjRkfhBebC4YBAgSCzJ5QZIgoYmkccLP8ZWeAz+PpZUjTvb2PIIJo+R

>
 i6
>
 IJUxeURqKz/mHhAaAaLvzilOJC3Uoa/tsPJ2yAA/+2eOTtZQnFmCcsvpu5TaY/ZYEEcmBcipTLG1BEWsCBooTxo+J3RpCkZQrksTM4rztb0hqHFbIeYsGlSL2LlXFnFNSpxF/UdxJqMqEXR6cN0gDEgGcP1EBRgZBpevNmhkXcZg8O71q6ouub1TduK2xIhNGWcmbZdbh58BhOPIs6eW+Kdi0pShuE2rWsphuN5F6mQEp1AaBz3qdB2pu0M8Q7JpOScZGp0iss26HPfklotLSsOCMNiRz1Ffl04RnM5qgI4HTi9C2y9bPyI2AyJl7l5dnQdW7zitTGoV/oWG1lR9WXpve7Cq7qBkR4PEiWkkoBNyYTWtp7nC4qZ6IzRJZc5fI5wdDz6g8fU5FpR3qm4VAdt/G12e63ORQJVYD0z3opDvaeYiv/UTZO5Qt/01ZeR9ixIWaNFKoNvCl1rCYNclJx06CmKDC/X1Fpw==\r\nHost:

>
> www.gstatic.com:443\r\n] [HTTP/1.1 403 Forbidden\r\nServer:
> squid/4.4\r\nMime-Version: 1.0\r\nDate: Fri, 07 Aug 2020 15:28:55
> GMT\r\nContent-Type: text/html;charset=utf-8\r\nContent-Length:
> 6260\r\nX-Squid-Error: ERR_ACCESS_DENIED 0\r\n\r]
>
> Utilizo CentOS, he seguido la guia de Arian se sysadmin, realmente no
> doy con lo que es, agradeceria si alguien me puede ayudar
>
> Saludos
>
>
>
>
> _______________________________________________
> Gutl-l mailing list -- gutl-l(a)listas.jovenclub.cu
> To unsubscribe send an email to gutl-l-leave(a)listas.jovenclub.cu
>

 Esto me huele a cuestión de tus acls, te sucede con todas las páginas?

 Viste lo de las últimas líneas de opciones que envíe para resolver el 
 problemas con las páginas Https cuando se emplea un proxy padre?
 Comparte el squid.conf para así poderte ayudar mejor.
 Salu2.

 _______________________________________________
 Gutl-l mailing list -- gutl-l(a)listas.jovenclub.cu
 To unsubscribe send an email to gutl-l-leave(a)listas.jovenclub.cu 

2021

2020

2019

2018

2017

[Gutl-l] Re: Autentificacion Kerberos y Squid