История изменений
Исправление blind_oracle, (текущая версия) :
У меня именно сначала бейсик, потом негошиейт.
И хотя да, в доках пишут:
The order in which authentication schemes are presented to the client is
dependent on the order the scheme first appears in config file. IE
has a bug (it's not RFC 2617 compliant) in that it will use the basic
scheme if basic is the first entry presented, even if more secure
schemes are presented.
У тебя, случаем, логины-пароли не в кириллице? А то
IF HAVE_AUTH_MODULE_BASIC
=== Basic authentication parameters ===
"utf8" on|off
HTTP uses iso-latin-1 as character set, while some
authentication backends such as LDAP expects UTF-8. If this is
set to on Squid will translate the HTTP iso-latin-1 charset to
UTF-8 before sending the username and password to the helper.
Полный конфиг:
debug_options ALL,1 rotate=1
logfile_rotate 0
cache_mgr admin@domain.ru
visible_hostname squid.domain.ru
http_port 0.0.0.0:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=64MB cert=/etc/squid/ssl/ca-squid.domain.ru.pem options=NO_SSLv2,NO_SSLv3 dhparams=/etc/squid/ssl/dh2048.pem cipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
server_persistent_connections on
client_persistent_connections on
cache_effective_user squid
cache_effective_group squid
# ICAP ACL
acl icap_whitelisted dstdomain "/etc/squid/lists/icap_domains_whitelisted.txt"
# ICAP scanning
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_connect_timeout 1 second
icap_preview_enable on
icap_preview_size 1024
icap_206_enable on
icap_persistent_connections on
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req deny icap_whitelisted
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp deny icap_whitelisted
adaptation_access service_resp allow all
forwarded_for delete
httpd_suppress_version_string on
### Error messages ###
error_directory /etc/squid/errors/ru
### Cache options ###
cache_mem 1024 MB
cache deny all
auth_param basic program /opt/squid/libexec/basic_pam_auth -n squid -t 300 -o
auth_param basic children 30 startup=5 idle=5
auth_param basic credentialsttl 10800 seconds
auth_param basic realm squid.domain.ru
auth_param negotiate program /opt/squid/libexec/negotiate_kerberos_auth -r -s GSS_C_NO_NAME
auth_param negotiate children 100 startup=10 idle=10
auth_param negotiate keep_alive on
authenticate_cache_garbage_interval 1 hour
authenticate_ttl 1 hour
external_acl_type squid_ldap ttl=30 negative_ttl=30 children-max=100 children-startup=10 children-idle=5 %LOGIN /opt/squid/libexec/ext_ldap_group_acl -b "OU=Пользователи,DC=domain,DC=ru" -s sub -D CN=service_ldap_ro,CN=Users,DC=domain,DC=ru -W /etc/squid/ldap.password -R -H ldap://10.1.16.10 -v 3 -S -K -f "(&(sAMAccountName=%u)(memberOf=%g))"
acl proxy_full_access external squid_ldap CN=proxy_full_access,OU=Proxy,OU=Groups,DC=domain,DC=ru
acl proxy_email_access external squid_ldap CN=proxy_email_access,OU=Proxy,OU=Groups,DC=domain,DC=ru
acl proxy_hr_access external squid_ldap CN=proxy_hr_access,OU=Proxy,OU=Groups,DC=domain,DC=ru
acl proxy_no_access external squid_ldap CN=proxy_no_access,OU=Proxy,OU=Groups,DC=domain,DC=ru
acl proxy_no_access_expired external squid_ldap CN=Expired_Passwords,OU=Groups,DC=domain,DC=ru
### Delay Pools ###
delay_pools 1
delay_class 1 4
delay_access 1 deny all
delay_parameters 1 -1/-1 -1/-1 -1/-1 8000/16000
### File lists ###
include "/etc/squid/lists.conf"
### File ACLs ###
## Lists ##
acl lists_block_dom dstdomain "/etc/squid/lists/domains_blocked.txt"
acl lists_fun_dom dstdomain "/etc/squid/lists/domains_fun.txt"
acl lists_job_dom dstdomain "/etc/squid/lists/domains_job.txt"
## Custom Lists ##
acl domains_whitelisted dstdomain "/etc/squid/lists/domains_whitelisted.txt"
acl domains_ssl_direct dstdomain "/etc/squid/lists/domains_ssl_direct.txt"
acl domains_mail dstdomain "/etc/squid/lists/domains_mail.txt"
acl domains_no_auth dstdomain "/etc/squid/lists/domains_no_auth.txt"
acl ip_ssl_direct dst "/etc/squid/lists/ip_ssl_direct.txt"
# SSL exceptions
acl domains_ssl_error dstdomain "/etc/squid/lists/domains_ssl_error.txt"
# SSL Proxying
ssl_bump none domains_ssl_direct
ssl_bump none ip_ssl_direct
ssl_bump client-first domains_ssl_error
ssl_bump server-first all
sslproxy_options NO_SSLv2,NO_SSLv3
sslproxy_cipher ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
sslproxy_cert_error allow domains_ssl_error
sslproxy_cert_error deny all
sslcrtd_program /opt/squid/libexec/ssl_crtd -s /etc/squid/ssl/ssl_db -M 128MB
sslcrtd_children 50 startup=10 idle=10
always_direct allow all
### Port based ACLs ###
acl ports_allowed port 20
acl ports_allowed port 21
acl ports_allowed port 80
acl ports_allowed port 443
acl ports_allowed port 9000
acl ports_connect port 443
acl ports_connect port 9000
### Time period ACLs ###
acl time_fun time MTWHF 13:00-14:00 18:30-23:00
acl time_weekends time SA 00:00-23:59
### Other ACLs ###
acl net_internal src 10.0.0.0/8
acl net_internal src 192.168.20.0/24
acl svc_chk src 10.1.16.11
acl svc_chk src 10.1.16.12
acl method_connect method CONNECT
acl proxy_authorized proxy_auth REQUIRED
# Do not log requests to these domains
acl skip_logging dstdomain "/etc/squid/lists/skip_logging.txt"
# Statistics page
acl manager url_regex -i ^cache_object:// /squid-internal-mgr/
http_access allow manager svc_chk
http_access deny manager
follow_x_forwarded_for allow svc_chk
follow_x_forwarded_for deny all
icap_uses_indirect_client on
delay_pool_uses_indirect_client on
acl_uses_indirect_client on
log_uses_indirect_client on
### Access lists ###
http_access allow svc_chk
http_access deny !net_internal
http_access allow domains_no_auth ports_allowed
http_access deny !proxy_authorized
http_access deny proxy_no_access
http_access deny proxy_no_access_expired
http_access deny !proxy_full_access !time_fun lists_fun_dom
http_access deny !proxy_full_access lists_block_dom !domains_whitelisted
http_access deny !proxy_email_access !proxy_full_access !domains_whitelisted lists_mail_dom
http_access deny !proxy_hr_access !proxy_full_access lists_job_dom
http_access deny method_connect !ports_connect
http_access deny !ports_allowed
http_access allow all
deny_info https://support.domain.ru/pass_change proxy_no_access_expired
### Other parameters ###
access_log stdio:/var/log/squid/access.log squid !skip_logging
cache_log /var/log/squid/cache.log
cache_store_log none
logfile_rotate 90
mime_table /etc/squid/mime.conf
request_header_max_size 20 KB
request_body_max_size 0 KB
via off
shutdown_lifetime 3 seconds
Исходная версия blind_oracle, :
У меня именно сначала бейсик, потом негошиейт.
И хотя да, в доках пишут:
The order in which authentication schemes are presented to the client is
dependent on the order the scheme first appears in config file. IE
has a bug (it's not RFC 2617 compliant) in that it will use the basic
scheme if basic is the first entry presented, even if more secure
schemes are presented.
У тебя, случаем, логины-пароли не в кириллице? А то
IF HAVE_AUTH_MODULE_BASIC
=== Basic authentication parameters ===
"utf8" on|off
HTTP uses iso-latin-1 as character set, while some
authentication backends such as LDAP expects UTF-8. If this is
set to on Squid will translate the HTTP iso-latin-1 charset to
UTF-8 before sending the username and password to the helper.
Полный конфиг:
debug_options ALL,1 rotate=1
logfile_rotate 0
cache_mgr admin@domain.ru
visible_hostname squid.domain.ru
http_port 0.0.0.0:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=64MB cert=/etc/squid/ssl/ca-squid.domain.ru.pem options=NO_SSLv2,NO_SSLv3 dhparams=/etc/squid/ssl/dh2048.pem cipher=ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
server_persistent_connections on
client_persistent_connections on
cache_effective_user squid
cache_effective_group squid
# ICAP ACL
acl icap_whitelisted dstdomain "/etc/squid/lists/icap_domains_whitelisted.txt"
# ICAP scanning
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_connect_timeout 1 second
icap_preview_enable on
icap_preview_size 1024
icap_206_enable on
icap_persistent_connections on
icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req deny icap_whitelisted
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp deny icap_whitelisted
adaptation_access service_resp allow all
forwarded_for delete
httpd_suppress_version_string on
### Error messages ###
error_directory /etc/squid/errors/ru
### Cache options ###
cache_mem 1024 MB
cache deny all
auth_param basic program /opt/squid/libexec/basic_pam_auth -n squid -t 300 -o
auth_param basic children 30 startup=5 idle=5
auth_param basic credentialsttl 10800 seconds
auth_param basic realm squid.domain.ru
auth_param negotiate program /opt/squid/libexec/negotiate_kerberos_auth -r -s GSS_C_NO_NAME
auth_param negotiate children 100 startup=10 idle=10
auth_param negotiate keep_alive on
authenticate_cache_garbage_interval 1 hour
authenticate_ttl 1 hour
external_acl_type squid_ldap ttl=30 negative_ttl=30 children-max=100 children-startup=10 children-idle=5 %LOGIN /opt/squid/libexec/ext_ldap_group_acl -b "OU=Пользователи,DC=domain,DC=ru" -s sub -D CN=service_ldap_ro,CN=Users,DC=domain,DC=ru -W /etc/squid/ldap.password -R -H ldap://10.1.16.10 -v 3 -S -K -f "(&(sAMAccountName=%u)(memberOf=%g))"
acl proxy_full_access external squid_ldap CN=proxy_full_access,OU=Proxy,OU=Groups,DC=domain,DC=ru
acl proxy_email_access external squid_ldap CN=proxy_email_access,OU=Proxy,OU=Groups,DC=domain,DC=ru
acl proxy_hr_access external squid_ldap CN=proxy_hr_access,OU=Proxy,OU=Groups,DC=domain,DC=ru
acl proxy_no_access external squid_ldap CN=proxy_no_access,OU=Proxy,OU=Groups,DC=domain,DC=ru
acl proxy_no_access_expired external squid_ldap CN=Expired_Passwords,OU=Groups,DC=domain,DC=ru
### Delay Pools ###
delay_pools 1
delay_class 1 4
delay_access 1 deny all
delay_parameters 1 -1/-1 -1/-1 -1/-1 8000/16000
### File lists ###
include "/etc/squid/lists.conf"
### File ACLs ###
## Lists ##
acl lists_block_dom dstdomain "/etc/squid/lists/domains_blocked.txt"
acl lists_fun_dom dstdomain "/etc/squid/lists/domains_fun.txt"
acl lists_job_dom dstdomain "/etc/squid/lists/domains_job.txt"
## Custom Lists ##
acl domains_whitelisted dstdomain "/etc/squid/lists/domains_whitelisted.txt"
acl domains_ssl_direct dstdomain "/etc/squid/lists/domains_ssl_direct.txt"
acl domains_mail dstdomain "/etc/squid/lists/domains_mail.txt"
acl domains_no_auth dstdomain "/etc/squid/lists/domains_no_auth.txt"
acl ip_ssl_direct dst "/etc/squid/lists/ip_ssl_direct.txt"
# SSL exceptions
acl domains_ssl_error dstdomain "/etc/squid/lists/domains_ssl_error.txt"
# SSL Proxying
ssl_bump none domains_ssl_direct
ssl_bump none ip_ssl_direct
ssl_bump client-first domains_ssl_error
ssl_bump server-first all
sslproxy_options NO_SSLv2,NO_SSLv3
sslproxy_cipher ECDH+AESGCM:DH+AESGCM:ECDH+AES:DH+AES:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
sslproxy_cert_error allow domains_ssl_error
sslproxy_cert_error deny all
sslcrtd_program /opt/squid/libexec/ssl_crtd -s /etc/squid/ssl/ssl_db -M 128MB
sslcrtd_children 50 startup=10 idle=10
always_direct allow all
### Port based ACLs ###
acl ports_allowed port 20
acl ports_allowed port 21
acl ports_allowed port 80
acl ports_allowed port 443
acl ports_allowed port 9000
acl ports_connect port 443
acl ports_connect port 9000
### Time period ACLs ###
acl time_fun time MTWHF 13:00-14:00 18:30-23:00
acl time_weekends time SA 00:00-23:59
### Other ACLs ###
acl net_internal src 10.0.0.0/8
acl net_internal src 192.168.20.0/24
acl svc_chk src 10.1.16.11
acl svc_chk src 10.1.16.12
acl method_connect method CONNECT
acl proxy_authorized proxy_auth REQUIRED
# Do not log requests to these domains
acl skip_logging dstdomain "/etc/squid/lists/skip_logging.txt"
# Statistics page
acl manager url_regex -i ^cache_object:// /squid-internal-mgr/
http_access allow manager svc_chk
http_access deny manager
follow_x_forwarded_for allow svc_chk
follow_x_forwarded_for deny all
icap_uses_indirect_client on
delay_pool_uses_indirect_client on
acl_uses_indirect_client on
log_uses_indirect_client on
### Access lists ###
http_access allow svc_chk
http_access deny !net_internal
http_access allow domains_no_auth ports_allowed
http_access deny !proxy_authorized
http_access deny proxy_no_access
http_access deny proxy_no_access_expired
http_access deny !proxy_full_access !time_fun lists_fun_dom
http_access deny !proxy_full_access lists_block_dom !domains_whitelisted
http_access deny !proxy_email_access !proxy_full_access !domains_whitelisted lists_mail_dom
http_access deny !proxy_hr_access !proxy_full_access lists_job_dom
http_access deny method_connect !ports_connect
http_access deny !ports_allowed
http_access allow all
deny_info https://support.domain.ru/pass_change proxy_no_access_expired
### Other parameters ###
access_log stdio:/var/log/squid/access.log squid !skip_logging
cache_log /var/log/squid/cache.log
cache_store_log none
logfile_rotate 90
mime_table /etc/squid/mime.conf
request_header_max_size 20 KB
request_body_max_size 0 KB
via off
shutdown_lifetime 3 seconds