Squid 会保留凭证直到重新加载

Squid 会保留凭证直到重新加载

我已经成功设置了一个 squid 服务器,通过 kerberos/ntlm/ldap 向 samba4 服务器进行身份验证,它们都运行良好(这真是一件美妙的事情!!!:D)

我现在开始制定 ACL,并且希望特定的一组用户拥有不受限制的访问权限。

问题是,当我将我的用户添加到 AD 组 Internet Irrestrito 并打开我的浏览器时,它可以正常工作,我将我的用户从组中删除,但它仍然可以访问互联网,如果我执行 squid -k 重新配置,然后重新加载网站或重新打开浏览器,那么它会拒绝我的访问,就像它之前应该做的那样。

鉴于我不能每次更改用户组时都重新加载 squid,我需要做什么才能让 squid 识别用户组中的变化而无需重新加载它?

我已将 ldap auth 上的 ttl 更改为非常低的设置(目前设置为 5 小时),但同样的情况发生了。此外,在公司内的一个旧 squid 盒上,ttl 也是 5 小时,一旦我们将用户从旧网络 ldap 服务器更改,用户只需重新启动浏览器即可完成!

这是我的 squid.conf

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT

http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

auth_param negotiate program /usr/local/squid/libexec/negotiate_wrapper -d --ntlm     /usr/local/squid/libexec/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --    domain=testserver.LAN --kerberos /usr/local/squid/libexec/negotiate_kerberos_auth -d -s     HTTP/[email protected]
auth_param negotiate children 10
auth_param negotiate keep_alive off

auth_param ntlm program /usr/local/squid/libexec/ntlm_auth --diagnostics --helper-    protocol=squid-2.5-ntlmssp --domain=testserver.LAN
auth_param ntlm children 10
auth_param ntlm keep_alive off

auth_param basic program /usr/local/squid/libexec/basic_ldap_auth -d -R -b "dc=testserver,dc=lan" -D [email protected] -W /usr/local/squid/etc/ldappass -f     sAMAccountName=%s -h servidor-001.testserver.lan
auth_param basic children 5
auth_param basic credentialsttl 5 hours  
auth_param basic realm testserver Proxy Server

external_acl_type internet_irrestrito %LOGIN /usr/local/squid/libexec/ext_ldap_group_acl -R -K -b "cn=Users,dc=testserver,dc=lan" -D [email protected] -W             /usr/local/squid/etc/ldappass -f "(&(objectclass=person)(sAMAccountName=%u)    (memberof=cn=Internet Irrestrito,cn=Users,dc=testserver,dc=lan))" -h servidor-    001.testserver.lan

acl auth proxy_auth REQUIRED

acl Irrestrito external internet_irrestrito Internet\ Irrestrito

http_access allow Irrestrito auth
http_access deny !auth
http_access allow localhost
http_access deny all

http_port 3128
cache_mgr [email protected]
access_log /usr/local/squid/var/logs/access.log squid
coredump_dir /usr/local/squid/var/cache/squid
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .       0   20% 4320

欢迎提出任何想法,过去两天我在网上搜索都没有成功:(

相关内容