We have a few special requirements in our network. For internet based traffic we use an appliance based proxy server that users must authenticate with to get out to the internet. But we also use an internal proxy server to access a secure network. In order to do this rather than buying another appliance we setup a Squid proxy on a Linux server.
In order to achieve the results required we need to tell the clients how to request pages and from where. This is done using WPAD which is dished out using DHCP, DNS and GPO. So within the client browser if a page meeting the specified criteria is selected it goes to the relevant proxy.
Simplistically we use 3 array variables, local – for our internal servers, bypass – for server that don’t go via any proxy and secure – for servers that are on the secure domain.
The Squid server is then configured to allow only those client that meet specific criteria to pass through to the secure network.
### /etc/squid3/squid.conf Configuration File #### ### cache manager cache deny all cache_mgr email@example.com auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d auth_param negotiate children 10 auth_param negotiate keep_alive on ### pure ntlm authentication auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN auth_param ntlm children 10 auth_param ntlm keep_alive off ### provide basic authentication via ldap for clients not authenticated via kerberos/ntlm auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=mydomain,dc=local" -D firstname.lastname@example.org -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h ldap.mydomain.local auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute ### ldap authorisation external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -b "dc=mydomain,dc=local" -D email@example.com -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=%g,DC=mydomain,DC=local))" -h ldap.mydomain.local ### squid defaults acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost ### acl for proxy auth and ldap authorizations acl SECURE_Users external memberof "/etc/squid3/SECURE_Users.txt" acl ntlm_users proxy_auth REQUIRED acl SECURE_Sites dstdomain "/etc/squid3/SECURE_Sites.txt" acl SECURE_VLAN src "/etc/squid3/SECURE_VLAN.txt"
The config causes Squid to authenticate user requests using NTLM or LDAP with our domain controller/LDAP. Then using ACL’s it checks that the user is a member of the group(s) in the SECURE_Users.txt file and the URL is listed in SECURE_Sites.txt and they are coming from a network within the SECURE_VLAN.txt file.
Then all of the management is pretty much left to Active Directory. So you give users access just by making them a member of the group [Group_Name]. The actual config is a little more tricksy than that shown, but the general gist is here.