Quantcast

transparent proxy with Active Directory Login

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

transparent proxy with Active Directory Login

Jeff Sadowski
OK I got transparent proxy working and I have Active Directory logging
working (the Active directory documents need a little work I'll see if
I can find time to update them. I have it working with centos 5.2 with
setting the proxy in the web browser)
However I was hoping that when I take the proxy option out of the web
browser that it would still use the Active Directory login info. (I
get the default access  denied option) Is there a way to get it to use
the automatic ntlm authentication info with a transparent proxy? or
even a way for them to login? Or do I need to create a group policy
and/or tell users how to setup a proxy in all the users computers for
IE and firefox? It is no secret it just seems like a pain in the ass
going around setting it up. And you all know how it is dealing with
users.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: transparent proxy with Active Directory Login

Amos Jeffries-2
> OK I got transparent proxy working and I have Active Directory logging
> working (the Active directory documents need a little work I'll see if
> I can find time to update them. I have it working with centos 5.2 with
> setting the proxy in the web browser)
> However I was hoping that when I take the proxy option out of the web
> browser that it would still use the Active Directory login info. (I
> get the default access  denied option) Is there a way to get it to use
> the automatic ntlm authentication info with a transparent proxy?

No.

> or
> even a way for them to login?

Users no. Machines yes. (see below)

> Or do I need to create a group policy
> and/or tell users how to setup a proxy in all the users computers for
> IE and firefox?

That is preferable.

> It is no secret it just seems like a pain in the ass
> going around setting it up. And you all know how it is dealing with
> users.
>

The problem is that browsers have security that prevents them sending
private login credentials to random machines on the network. Understand
why?

When in transparent mode the proxy _is_ a malicious hijacker. Transparent
interception is called man-in-middle attack by security people. The
browser is behaving properly and Squid has no way of receiving the users
credentials from it.

What can be done is to glean some details such as machine IP and do some
local not-quite-auth testing on it to see who is logged in and get their
username back (NP: not password). AD may be able to map IP to current
user. This has to be done in the background with an external_acl_type
helper. It's called out-of-band authorization.

Amos


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Split caching by size

Jason Spegal
In reply to this post by Jeff Sadowski
How do I configure squid to only cache small objects, say less than 4mb
in memory cache, and only objects larger than 4mb to the disk? I want to
optimize the cache based on object size. The reasoning is the small
stuff will change often and be accessed the most while the larger items
that tie up bandwidth will not change as often and I can cache more
aggressively. Also this way I minimize disk io and lag. I am using squid
3.0. While I can see this being done with the disk cache I am not
certain the memory cache can be configured like this anymore as the
options seem to be missing.

Thanks,
   Jason
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Split caching by size

Amos Jeffries-2
> How do I configure squid to only cache small objects, say less than 4mb
> in memory cache, and only objects larger than 4mb to the disk? I want to
> optimize the cache based on object size. The reasoning is the small
> stuff will change often and be accessed the most while the larger items
> that tie up bandwidth will not change as often and I can cache more
> aggressively. Also this way I minimize disk io and lag. I am using squid
> 3.0. While I can see this being done with the disk cache I am not
> certain the memory cache can be configured like this anymore as the
> options seem to be missing.
>

You face one major problem:
 * How to identify the size of an object before its pushed to cache?
   - _some_ objects have Content-Length: headers set, not always.

 * How to identify when an object is going to be pushed to cache while its
still arriving?
   - no such luck. will require a code change.

COSS grabs all the obvious small objects into a separate small and
efficient store, leaving the rest assumed to be large for the main store.
Alex is working very hard at getting the RockStore feature working, which
a part involves fixing the COSS support in 3.x. Any help able to be
provided to him in that project is very, very welcome.

Amos


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: transparent proxy with Active Directory Login

Gavin McCullagh-2
In reply to this post by Amos Jeffries-2
On Thu, 14 May 2009, Amos Jeffries wrote:

> What can be done is to glean some details such as machine IP and do some
> local not-quite-auth testing on it to see who is logged in and get their
> username back (NP: not password). AD may be able to map IP to current
> user. This has to be done in the background with an external_acl_type
> helper. It's called out-of-band authorization.

Are there any docs or howtos around on this?  We use authentication one one
subnet, but it's a bit of a pain.  We're not really that concerned to
require people to remember passwords, we just want to work out who the user
is with a reasonable level of accuracy.  Authenticated proxies seem to
break various clients so if out-of-band might be an interesting
alternative.

Gavin

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: transparent proxy with Active Directory Login

Amos Jeffries-2
Gavin McCullagh wrote:

> On Thu, 14 May 2009, Amos Jeffries wrote:
>
>> What can be done is to glean some details such as machine IP and do some
>> local not-quite-auth testing on it to see who is logged in and get their
>> username back (NP: not password). AD may be able to map IP to current
>> user. This has to be done in the background with an external_acl_type
>> helper. It's called out-of-band authorization.
>
> Are there any docs or howtos around on this?  We use authentication one one
> subnet, but it's a bit of a pain.  We're not really that concerned to
> require people to remember passwords, we just want to work out who the user
> is with a reasonable level of accuracy.  Authenticated proxies seem to
> break various clients so if out-of-band might be an interesting
> alternative.
>
> Gavin
>

Nothing easy to understand tat I know of. It's kind of wrapped in the
specific local management systems you use, to pull the IP out of the
request and compare it to some local database.

Amos
--
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
   Current Beta Squid 3.1.0.7
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Split caching by size

Chris Robertson-2
In reply to this post by Jason Spegal
Jason Spegal wrote:
> How do I configure squid to only cache small objects, say less than
> 4mb in memory cache,

http://www.squid-cache.org/Doc/config/maximum_object_size_in_memory/

> and only objects larger than 4mb to the disk?

http://www.squid-cache.org/Doc/config/minimum_object_size/

> I want to optimize the cache based on object size. The reasoning is
> the small stuff will change often and be accessed the most while the
> larger items that tie up bandwidth will not change as often and I can
> cache more aggressively. Also this way I minimize disk io and lag. I
> am using squid 3.0. While I can see this being done with the disk
> cache I am not certain the memory cache can be configured like this
> anymore as the options seem to be missing.
>
> Thanks,
>   Jason

Chris
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Split caching by size

Jason Spegal
Just tested and verified this. At least in Squid 3.0 minimum_object_size
affects both memory and disk caches. Anyone know if this is true in 3.1
as well? Any thoughts as to how to split it? I may be wrong and likely
am but I recall there was separate minimum_object_size for each cache at
one time.

Chris Robertson wrote:

> Jason Spegal wrote:
>> How do I configure squid to only cache small objects, say less than
>> 4mb in memory cache,
>
> http://www.squid-cache.org/Doc/config/maximum_object_size_in_memory/
>
>> and only objects larger than 4mb to the disk?
>
> http://www.squid-cache.org/Doc/config/minimum_object_size/
>
>> I want to optimize the cache based on object size. The reasoning is
>> the small stuff will change often and be accessed the most while the
>> larger items that tie up bandwidth will not change as often and I can
>> cache more aggressively. Also this way I minimize disk io and lag. I
>> am using squid 3.0. While I can see this being done with the disk
>> cache I am not certain the memory cache can be configured like this
>> anymore as the options seem to be missing.
>>
>> Thanks,
>>   Jason
>
> Chris

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

--enable-http-violations

Jason Spegal
What exactly does compiling with --enable-http-violations do? I was
under the impression it just allowed ignore-private, ignore-no-store,
ignore-auth, override-expire, etc to work however I am starting to doubt
that. Even removing all options on affected refresh_pattern's still
result in certain pages not refreshing properly.

--Jason

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: --enable-http-violations

Amos Jeffries-2
> What exactly does compiling with --enable-http-violations do? I was
> under the impression it just allowed ignore-private, ignore-no-store,
> ignore-auth, override-expire, etc to work however I am starting to doubt
> that.

It enables use of all config settings which, if changed from the defaults,
will cause your Squid to disobey HTTP and other RFC protocol requirements.
Caching things which should not be cached (ignore-* and override-*) are
just a few of those settings.

> Even removing all options on affected refresh_pattern's still
> result in certain pages not refreshing properly.

To make things operate properly IMO its best not to use any of the
violation settings. They are the cause of breakage more often than not.

I think you need to get a wire-level trace of the requests going to/from
Squid  with the client and server both.

Amos


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Split caching by size

Adrian Chadd-3
In reply to this post by Jason Spegal
Its a per-cache_dir option in Squid-2.7 and above; I'm not sure about 3.



Adrian

2009/5/20 Jason Spegal <[hidden email]>:

> Just tested and verified this. At least in Squid 3.0 minimum_object_size
> affects both memory and disk caches. Anyone know if this is true in 3.1 as
> well? Any thoughts as to how to split it? I may be wrong and likely am but I
> recall there was separate minimum_object_size for each cache at one time.
>
> Chris Robertson wrote:
>>
>> Jason Spegal wrote:
>>>
>>> How do I configure squid to only cache small objects, say less than 4mb
>>> in memory cache,
>>
>> http://www.squid-cache.org/Doc/config/maximum_object_size_in_memory/
>>
>>> and only objects larger than 4mb to the disk?
>>
>> http://www.squid-cache.org/Doc/config/minimum_object_size/
>>
>>> I want to optimize the cache based on object size. The reasoning is the
>>> small stuff will change often and be accessed the most while the larger
>>> items that tie up bandwidth will not change as often and I can cache more
>>> aggressively. Also this way I minimize disk io and lag. I am using squid
>>> 3.0. While I can see this being done with the disk cache I am not certain
>>> the memory cache can be configured like this anymore as the options seem to
>>> be missing.
>>>
>>> Thanks,
>>>  Jason
>>
>> Chris
>
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Split caching by size

Amos Jeffries-2
In reply to this post by Jason Spegal
Jason Spegal wrote:
> Just tested and verified this. At least in Squid 3.0 minimum_object_size
> affects both memory and disk caches. Anyone know if this is true in 3.1
> as well? Any thoughts as to how to split it? I may be wrong and likely
> am but I recall there was separate minimum_object_size for each cache at
> one time.

Same for all Squid-3 so far.
The per-cache_dir version is awaiting port from Squid-2.

>
> Chris Robertson wrote:
>> Jason Spegal wrote:
>>> How do I configure squid to only cache small objects, say less than
>>> 4mb in memory cache,
>>
>> http://www.squid-cache.org/Doc/config/maximum_object_size_in_memory/
>>
>>> and only objects larger than 4mb to the disk?
>>
>> http://www.squid-cache.org/Doc/config/minimum_object_size/
>>
>>> I want to optimize the cache based on object size. The reasoning is
>>> the small stuff will change often and be accessed the most while the
>>> larger items that tie up bandwidth will not change as often and I can
>>> cache more aggressively. Also this way I minimize disk io and lag. I
>>> am using squid 3.0. While I can see this being done with the disk
>>> cache I am not certain the memory cache can be configured like this
>>> anymore as the options seem to be missing.
>>>
>>> Thanks,
>>>   Jason
>>
>> Chris
>

Amos
--
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
   Current Beta Squid 3.1.0.7
Loading...