我已经成功设置了一个 squid 服务器,通过 kerberos/ntlm/ldap 向 samba4 服务器进行身份验证,它们都运行良好(这真是一件美妙的事情!!!:D)
我现在开始制定 ACL,并且希望特定的一组用户拥有不受限制的访问权限。
问题是,当我将我的用户添加到 AD 组 Internet Irrestrito 并打开我的浏览器时,它可以正常工作,我将我的用户从组中删除,但它仍然可以访问互联网,如果我执行 squid -k 重新配置,然后重新加载网站或重新打开浏览器,那么它会拒绝我的访问,就像它之前应该做的那样。
鉴于我不能每次更改用户组时都重新加载 squid,我需要做什么才能让 squid 识别用户组中的变化而无需重新加载它?
我已将 ldap auth 上的 ttl 更改为非常低的设置(目前设置为 5 小时),但同样的情况发生了。此外,在公司内的一个旧 squid 盒上,ttl 也是 5 小时,一旦我们将用户从旧网络 ldap 服务器更改,用户只需重新启动浏览器即可完成!
这是我的 squid.conf
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
auth_param negotiate program /usr/local/squid/libexec/negotiate_wrapper -d --ntlm /usr/local/squid/libexec/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp -- domain=testserver.LAN --kerberos /usr/local/squid/libexec/negotiate_kerberos_auth -d -s HTTP/[email protected]
auth_param negotiate children 10
auth_param negotiate keep_alive off
auth_param ntlm program /usr/local/squid/libexec/ntlm_auth --diagnostics --helper- protocol=squid-2.5-ntlmssp --domain=testserver.LAN
auth_param ntlm children 10
auth_param ntlm keep_alive off
auth_param basic program /usr/local/squid/libexec/basic_ldap_auth -d -R -b "dc=testserver,dc=lan" -D [email protected] -W /usr/local/squid/etc/ldappass -f sAMAccountName=%s -h servidor-001.testserver.lan
auth_param basic children 5
auth_param basic credentialsttl 5 hours
auth_param basic realm testserver Proxy Server
external_acl_type internet_irrestrito %LOGIN /usr/local/squid/libexec/ext_ldap_group_acl -R -K -b "cn=Users,dc=testserver,dc=lan" -D [email protected] -W /usr/local/squid/etc/ldappass -f "(&(objectclass=person)(sAMAccountName=%u) (memberof=cn=Internet Irrestrito,cn=Users,dc=testserver,dc=lan))" -h servidor- 001.testserver.lan
acl auth proxy_auth REQUIRED
acl Irrestrito external internet_irrestrito Internet\ Irrestrito
http_access allow Irrestrito auth
http_access deny !auth
http_access allow localhost
http_access deny all
http_port 3128
cache_mgr [email protected]
access_log /usr/local/squid/var/logs/access.log squid
coredump_dir /usr/local/squid/var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
欢迎提出任何想法,过去两天我在网上搜索都没有成功:(