Just want to add, I use SquidGuard in two High load setups and never ran into issues. I didnt integrate it as url rewrite helper but as external acl helper and it works great with 800 Users..
Am 17. September 2018 20:38:06 MESZ schrieb Amos Jeffries <squ...@treenet.co.nz>: >On 18/09/18 3:37 AM, Service MV wrote: >> Dear Ones, I draw on your experience in seeking help to determine >> whether or not it is possible to achieve the configuration I am >looking >> for, due to a strange error I am having. > >FYI: SquidGuard has not been maintained for many years now. > >I recommend you convert as many of your filtering rules as you can into >normal Squid ACLs. Traffic which is being blocked for simple reasons >can >be done much more efficiently by Squid than a helper. > >You can use the more up-to-date ufdbguard helper as a drop-in >replacement for squidguard during the conversion. > > > >> >> Before commenting on the bug I describe my testing environment: >> - A VM CentOS 7 Core over VirtualBox 5.2, 1 NIC. >> - My VM is attached to my domain W2012R2 (following this post >> >https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/) >> to achieve kerberos authentication transparent to the user. SElinux >> disabled. Owner permissions to user squid in all folders/files >involved. >> - squid 3.5.20 installed and working great with kerberos, NTLM and >basic >> authentication. All authentication mechanisms tested and working >great. >> - SquidGuard: 1.4 Berkeley DB 5.3.21 installed and working great with >> blacklists and acl default. >> >> My problem starts when I try to use source acl using ldapusersearch >in >> squidGuard... >> >> systemctl status squid: >> (squid-1)[12627]: The redirector helpers are crashing too rapidly, >need >> help! >> >> *squidGuard.conf* >> >> dbhome /etc/squid/db >> logdir /var/log/squidGuard >> ldapbinddn >> >CN=ldap,OU=SERVICIOS,OU=SISTEMAS,OU=CANAL,OU=MYCOMPANY,DC=mydomain,DC=local >> ldapbindpass myULTRAsecretPASS >> ldapprotover 3 >> >> >> src WEB_BASIC { >> ldapusersearch >> >ldap://dc-1.mydomain.local:3268/dc=mydomain,dc=local?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=WEB_BASIC%2cou=INTERNET%2cou=PERMISOS%2cou=MYCOMPANY%2cdc=mydomain%2cdc=local)) >> log block.log >> } >> >... >> >> acl { >> >> WEB_BASIC{ >> pass whitelist !BL_porn !blacklist all >> redirect >> >http://s-server1.mydomain.local/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&targetgroup=%t&url=%u >> log block.log >> } >> >... > > >> *squid.conf* >> >> acl localnet src 10.10.8.0/22 # LAN net >> acl dmz src 192.168.20.0/27 # DMZ net > >These ACLs are never used dues to what you are doing with the "auth" >ACL. > >... >> >> ### acl for proxy authentication (kerberos or ntlm) and ldap >authorizations >> acl auth proxy_auth REQUIRED >> >> # Define protocols used for redirects >> acl HTTP proto HTTP >> acl HTTPS proto HTTPS > >These have nothing to do with redirects and are never used. > >> >> ### enforce authentication >> http_access allow auth >> http_access deny !auth >> > >All possible traffic will match either "auth" or "!auth" above. > >That means no http_access rules following this point do anything. > > >> ### standard access rules >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow localhost manager >> http_access deny manager > >Your custom http_access rules (eg the auth checks) should be down here >so the basic security rules above have a chance to protect your proxy >again DoS, traffic smuggling attacks etc. before more complicated and >resource consuming things happen. > > >> http_access allow localnet >> http_access allow dmz >> http_access allow localhost >> http_access deny all >> > >... >> visible_hostname eren > >The hostname needs to be a FQDN. It is delivered to clients in URLs >generated by Squid so they can fetch objects directly from the proxy. > >FYI: Squid-3 should be able to automatically locate the hostname of the >machine it is running on. If that is not working then you need to fix >your machine, other software will be using the same mechanism and >likewise be encountering problems. > > >> httpd_suppress_version_string on >> uri_whitespace strip >> >> >> ## squidGuard ## >> url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf >> url_rewrite_children 10 startup=5 idle=1 concurrency=0 >> url_rewrite_bypass off >> >> > >Your traffic in your access.log is all CONNECT requests. Those messages >cannot be re-written by SquidGuard. So at the very least you require >this config line: > > url_rewrite_access deny CONNECT > > >.. at this point you may notice your SG rules have no effect. This is >one of many reasons why you should do access control in the proxy >config, not externally in a complicated and slow helper. > >> >> *messages* >> >> Sep 17 11:13:07 proxy kernel: squidGuard[12552]: segfault at >> ffffffffd7706bb0 ip 00007fdbf2052e70 sp 00007fffd1b73c70 error 5 in >> libldap-2.4.so.2.10.7[7fdbf2027000+52000] >> Sep 17 11:13:07 proxy kernel: squidGuard[12553]: segfault at >> ffffffffa3d27bb0 ip 00007fd79b787e70 sp 00007ffe47e9b880 error 5 in >> libldap-2.4.so.2.10.7[7fd79b75c000+52000] > >... > >> >> If I disable src and acl WEB_BASIC I have no problem. The default acl >> does its thing without problems. >> But when I enable src and acl WEB_BASIC squidGuard explodes and squid >> restarts so I get to notice. >> I see an error in a libldap library... Will it be a library error? Or >am >> I misconfiguring my squid ? >> > >It is not a Squid error. It is something in SquidGuard and/or the >library. > >Amos >_______________________________________________ >squid-users mailing list >squid-users@lists.squid-cache.org >http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
