Squid 6.10 + AD/LDAP Auth+ E2g Help
53 views
Skip to first unread message
Ricardo Benlizar
Jan 23, 2025, 2:47:32 PMJan 23
to e2guardian
To be honest I have looked at many articles from the google group and github issues. Most are from 2020 or older. I do not know how to complete my integration. I currently have Squid 6.10 installed with SSLbumping (MiTM) working properly. I currently use ICAP with a standalone ICAP server but would like to switch over to E2g for content filtering and virus scanning. I am lost on what steps I should take given that I have used the following configurations in my Squid setup with no success.
# ICAP Configuration
icap_enable on
icap_preview_enable on
icap_preview_size 1024
icap_log /var/log/squid/icap.log
adaptation_send_client_ip on
adaptation_send_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode off
adaptation_access service_req allow all
adaptation_access service_resp allow all
icap_send_client_ip on
icap_send_client_username on
adaptation_masterx_shared_names X-ICAP-E2G
icap_service_failure_limit 1 in 1 seconds
icap_connect_timeout 10 seconds
icap_io_timeout 15 seconds
icap_service_revival_delay 10
# MIME type ACLs for ICAP scanning
acl SCAN_MIME rep_mime_type ^application/.*
acl SCAN_MIME rep_mime_type ^text/.*
# ICAP Services
icap_service service_req reqmod_precache bypass=on icap://192.168.3.39:1344/request
icap_service service_resp respmod_precache bypass=on icap://192.168.3.39:1344/response
# ICAP Access Control
adaptation_access virus_scan_req allow all
adaptation_access virus_scan_resp allow SCAN_MIME
adaptation_access virus_scan_resp deny all
icap_enable on
icap_preview_enable on
icap_preview_size 1024
icap_log /var/log/squid/icap.log
adaptation_send_client_ip on
adaptation_send_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode off
adaptation_access service_req allow all
adaptation_access service_resp allow all
icap_send_client_ip on
icap_send_client_username on
adaptation_masterx_shared_names X-ICAP-E2G
icap_service_failure_limit 1 in 1 seconds
icap_connect_timeout 10 seconds
icap_io_timeout 15 seconds
icap_service_revival_delay 10
# MIME type ACLs for ICAP scanning
acl SCAN_MIME rep_mime_type ^application/.*
acl SCAN_MIME rep_mime_type ^text/.*
# ICAP Services
icap_service service_req reqmod_precache bypass=on icap://192.168.3.39:1344/request
icap_service service_resp respmod_precache bypass=on icap://192.168.3.39:1344/response
# ICAP Access Control
adaptation_access virus_scan_req allow all
adaptation_access virus_scan_resp allow SCAN_MIME
adaptation_access virus_scan_resp deny all
My e2guardians have the following configs:
From contentcanners/icapscan.conf
plugname = 'icapscan'
# ICAP URL
# Use hostname rather than IP address
# Always specify the port
#
icapurl = 'icap://192.168.3.39:1344/avscan'
# ICAP URL
# Use hostname rather than IP address
# Always specify the port
#
icapurl = 'icap://192.168.3.39:1344/avscan'
From e2guardian.conf
#port for ICAP
#if defined enables icap mode
icapport = 1344
# the ip of upstream proxy - optional - if blank e2g will go direct to sites.
# default is "" i.e. no proxy
#proxyip = 192.168.3.253
# the port e2guardian connects to proxy on
#proxyport = 3128
# Proxy timeout
# Set tcp timeout between the Proxy and e2guardian
# This is a connection timeout
# If proxy is remote you may need to increase this to 10 or more.
# Min 5 - Max 100
proxytimeout = 5
# Connect timeout
# Set tcp timeout between the e2guardian and upstream service (proxy or target host)
# This is a connection timeout
# For remote sites you may need to increase this to 10 or more.
# Min 1 - Max 100
# default 3
connecttimeout = 5
#port for ICAP
#if defined enables icap mode
icapport = 1344
# the ip of upstream proxy - optional - if blank e2g will go direct to sites.
# default is "" i.e. no proxy
#proxyip = 192.168.3.253
# the port e2guardian connects to proxy on
#proxyport = 3128
# Proxy timeout
# Set tcp timeout between the Proxy and e2guardian
# This is a connection timeout
# If proxy is remote you may need to increase this to 10 or more.
# Min 5 - Max 100
proxytimeout = 5
# Connect timeout
# Set tcp timeout between the e2guardian and upstream service (proxy or target host)
# This is a connection timeout
# For remote sites you may need to increase this to 10 or more.
# Min 1 - Max 100
# default 3
connecttimeout = 5
Last note - I see the following authplugin as an option in e2guardian.conf but the file does not exist under the plugin directory - '/etc/e2guardian/authplugins/proxy-header.conf
Thank you for any help and direction. I so appreciate the work you all do for the project.
Ricardo Benlizar
Jan 24, 2025, 9:34:46 AMJan 24
to e2guardian
Ok, update I found that I had to run the squid proxy has an upstream process for the icap service to work as expected. Now my challenge is how do I get the username from the authentication happening on Squid proxy. Please let me know which logs you may need to help diagnose my issue. Thank you. The logs I currently have available. For squid -> access.logs, cache.log, For e2guardian -> access.log, requests.log.
I was also having problems with the ICAP antivirus scanning until I found the contentscanner directives in the e2guardian config file. I ran freshclam and then started clamav-daemon.service. After this, I uncommented the scanner for clamav in the e2guardian.conf. I also have a standalone ICAP server that I added to the ICAPscan.conf I then uncommented the associated content scanner in e2guardian.conf as well. I did this as a fail-safe. The virus scanning is working as expected.
So now I am mainly just focused on getting the username to e2guardian so that I can start to create stories for different users groups. Until then I will testing ip filtering. Thank you.
Reply all
Reply to author
Forward
0 new messages