Tips and Tux » squid http://www.tipsandtux.org/wordpress di Linux, Foto, Piante Carnivore e non solo... il informatipapàliticarnivoro Fri, 13 Jan 2012 10:15:32 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 VMware Update Manager vs ISA Proxy http://www.tipsandtux.org/wordpress/vmware-update-manager-vs-isa-proxy.html http://www.tipsandtux.org/wordpress/vmware-update-manager-vs-isa-proxy.html#comments Wed, 01 Jun 2011 12:59:56 +0000 superpaia http://www.tipsandtux.org/wordpress/?p=298 If you set a proxy for your VMware VUM with an ISA Proxy it could not work because you obtain “error 502” (see logs kb1003693)… you can set a few thounsands times your names, password, domain and so on… but the problem is another! Not your account, but the relationship between the user who starts the VMware Update Manager service!

Why ? I don’t know, but if you ust configure the VMware Update Manager service to “Log On As” a domain user with proxy rights all works fine! :roll:

Yes, it’s not the maximum to do, but is a functional workaround!

Rif: http://communities.vmware.com/thread/123005

PS It’s necessary set proxy information, in the VUM settings, but not the user… :-(

]]> http://www.tipsandtux.org/wordpress/vmware-update-manager-vs-isa-proxy.html/feed 0 Configurazione trasparent proxy wccp con ASA & Linux http://www.tipsandtux.org/wordpress/configurazione-trasparent-proxy-wccp-con-asa-linux.html http://www.tipsandtux.org/wordpress/configurazione-trasparent-proxy-wccp-con-asa-linux.html#comments Wed, 01 Dec 2010 10:08:27 +0000 superpaia http://www.tipsandtux.org/wordpress/?p=234 http://parvinderbhasin.blogspot.com/2009/06/squid-wccp-and-cisco-asa-setup.html
http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2

Come stabilire la connessione WCCP tra linux (squid, si intende già configurato) e Cisco ASA (testato con il 5510)

Sul linux, con squid >2.6 installato:
#modprobe ip_gre
#iptunnel add gre1 mode gre remote 192.168.1.254 local 192.168.1.19 dev eth0
i#fconfig gre1 inet 192.168.1.19 netmask 255.255.255.0 up
#echo 1 > /proc/sys/net/ipv4/ip_forward
#echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
#echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
#echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter
#iptables -t nat -A PREROUTING -i gre1 -p tcp -s 192.168.1.0/24 -m tcp –dport 80 -j REDIRECT –to-port 8080
#iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.0/24 -m tcp –dport 80 -j REDIRECT –to-port 8080

sul Cisco:
#access-list proxyclients extended deny tcp host 192.168.1.68 any eq www <— per ip che devono fare il bypass del trasparent proxy
#access-list proxyclients extended permit tcp 192.168.1.0 255.255.255.0 any eq www <– ip che saranno soggetti al trasparent proxy
#access-list proxyservers extended permit ip host 192.168.1.19 any
#wccp web-cache redirect-list proxyclients group-list proxyservers
#wccp interface  Lan web-cache redirect in
#wccp web-cache

per vedere lo stato sul Cisco:
sh wccp web-cache detail
e
sh wccp web-cache

NB:
“The only topology that the security appliance supports is when client and cache engine are behind the same interface of the security appliance and the cache engine can directly communicate with the client without going through the security appliance.”

]]> http://www.tipsandtux.org/wordpress/configurazione-trasparent-proxy-wccp-con-asa-linux.html/feed 0 Autenticazione Squid against LDAP Active Directory http://www.tipsandtux.org/wordpress/autenticazione-squid-against-ldap-active-directory.html http://www.tipsandtux.org/wordpress/autenticazione-squid-against-ldap-active-directory.html#comments Tue, 15 Dec 2009 19:02:39 +0000 superpaia http://www.tipsandtux.org/wordpress/?p=16 —– con squid fino 2.5.x e Active directory 2003 —–
** Autentificazione utenti: **
$/usr/sbin/squid_ldap_auth -p -R -b “cn=users,dc=infonetsolutions,dc=loc” -D “cn=Administrator,cn=users,dc=infonetsolutions,dc=loc” -w “PASSWORD” -f “(&(userPrincipalName=%s)(objectClass=person))” 10.13.17.204
TEST:
alessandro password
OK
* quindi in squid.conf:
auth_param basic program /usr/sbin/squid_ldap_auth -p -R -b “cn=users,dc=infonetsolutions,dc=loc” -D “cn=Administrator,cn=users,dc=infonetsolutions,dc=loc” -w “PASSWORD” -f “(&(userPrincipalName=%s)(objectClass=person))” 10.13.17.204
+
acl password proxy_auth REQUIRED
+
http_access allow password
—– con squid >2.6 e Active directory 2003 (testato con squid di ubuntu 7.04 e AD 2003 infonet) —–
** Autentificazione utenti: **
$/usr/lib/squid/ldap_auth -p -R -b “cn=users,dc=infonetsolutions,dc=loc” -D “cn=Administrator,cn=users,dc=infonetsolutions,dc=loc” -w “PASSWORD” -f sAMAccountName=%s -h 10.13.17.204
TEST:
alessandro password
OK
*quindi in squid.conf:
auth_param basic program /usr/lib/squid/ldap_auth -p -R -b “cn=users,dc=infonetsolutions,dc=loc” -D “cn=Administrator,cn=users,dc=infonetsolutions,dc=loc” -w “PASSWORD” -f sAMAccountName=%s -h 10.13.17.204
+
acl password proxy_auth REQUIRED
+
http_access allow password
** Autentificazione gruppi di Active directory: ***
prerequisito è che l’autentificazione utenti standard funzioni
(auth_param basic program /usr/lib/squid/ldap_auth -p -R -b “cn=users,dc=infonetsolutions,dc=loc” -D “cn=Administrator,cn=users,dc=infonetsolutions,dc=loc” -w “PASSWORD” -f sAMAccountName=%s -h 10.13.17.204)
+
external_acl_type GruppoDiRete %LOGIN /usr/lib/squid/squid_ldap_group -R -b “dc=infonetsolutions,dc=loc” -D “cn=Administrator,cn=Users,dc=infonetsolutions,dc=loc” -w “PASSWORD” -f “(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=Citrix,dc=infonetsolutions,dc=loc))” -h 10.13.17.204
+
acl password-gruppi proxy_auth REQUIRED
+
acl AccessoInternet external GruppoDiRete Ctx_Internet  # QUEST’ULTIMO È IL GRUPPO IN AD
+
http_access allow AccessoInternet
— Riferimenti: —
http://www.squid-cache.org
http://www.papercut.biz/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory

Ecco le informazioni per impostare l’autenticazione esplicita di un proxy Squid su GNU/Linux verso un server LDAP Active Directory.

—– con squid fino 2.5.x e Active directory 2003 (testato con Sles verso Ad 2003) —–

** Autenticazione utenti: **

inserire in squid.conf:

auth_param basic program /usr/sbin/squid_ldap_auth -p -R -b “cn=users,dc=dominio,dc=loc” -D “cn=squid,cn=users,dc=dominio,dc=loc” -w “PASSWORD” -f “(&(userPrincipalName=%s)(objectClass=person))” IpAddressLdapServer

&

acl password proxy_auth REQUIRED

&

http_access allow password

—– con squid >2.6 e Active directory 2003 (testato con squid di ubuntu 7.04 e SLES verso AD 2003) —-

** Autenticazione utenti: **

inserire in in squid.conf:

auth_param basic program /usr/lib/squid/ldap_auth -p -R -b “cn=users,dc=dominio,dc=loc” -D “cn=squid,cn=users,dc=dominio,dc=loc” -w “PASSWORD” -f sAMAccountName=%s -h IpAddressLdapServer

&

acl password proxy_auth REQUIRED

&

http_access allow password

** Autenticazione degli utenti e gruppi di Active directory: ***

con questa configurazione gli utenti oltre ad autenticare sè stessi devono anche appartenere ad un determinato gruppo di Active Directory per poter accedere ad internet tramite il proxy

(prerequisito è che l’autentificazione utenti standard funzioni)

auth_param basic program /usr/lib/squid/ldap_auth -p -R -b “cn=users,dc=dominio,dc=loc” -D “cn=squidr,cn=users,dc=dominio,dc=loc” -w “PASSWORD” -f sAMAccountName=%s -h IpAddressLdapServer

&

external_acl_type GruppoDiRete %LOGIN /usr/lib/squid/squid_ldap_group -R -b “dc=dominio,dc=loc” -D “cn=squid,cn=Users,dc=dominio,dc=loc” -w “PASSWORD” -f “(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou=SquidGroup,dc=dominio,dc=loc))” -h IpAddressLdapServer

&

acl password-gruppi proxy_auth REQUIRED

&

acl AccessoInternet external GruppoDiRete SquidGroup  # QUEST’ULTIMO È IL GRUPPO IN AD

&

http_access allow AccessoInternet

— Riferimenti: —

http://www.squid-cache.org

http://www.papercut.biz/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory

ENJOY :-)

]]> http://www.tipsandtux.org/wordpress/autenticazione-squid-against-ldap-active-directory.html/feed 0