8 Replies Latest reply: Dec 18, 2013 11:40 PM by mirbond RSS

    SQUID+ NDLP Prevent



      Has anyone used successfully NDLP with a squid? And if yes, can you provide the config?




        • 1. Re: SQUID+ NDLP Prevent

          Hi George and everybody !

          Have you  found answer on this question. And if yes, could you please share it?

          • 2. Re: SQUID+ NDLP Prevent

            I don't have squid installed with which to test anything, but the SQUID folks have the configuration you should need here.


            There will be a few differences.  You will need to substitute the address of your Prevent system where you see localhost.  Also, Prevent uses /REQMOD and /RESPMOD where the SQUID documentation uses uses /request and /response.

            • 3. Re: SQUID+ NDLP Prevent

              I`d be really happy to hear that somebody from community has already done such integration. Thanks in advance.

              • 4. Re: SQUID+ NDLP Prevent

                Hi mirbond,


                I would expect that a SQUID deployment may have many specifics for a given environment (things such as SSL bump, user auth and so on), but here are the ICAP lines from my lab which are required to get the ICAP service on SQUID working with NDLP (IP address is just an example):


                icap_enable on

                icap_service service_req reqmod_precache 0 icap://

                adaptation_access service_req allow all


                That is the working configuration on Squid 3.1.19


                Any more detail would require an undertstanding of the specific requirements for Squid but the above should be enough to get it working with NDLP Prevent.


                You might find it tricky to get ICAP setup and working in first place in SQUID but there is plenty of discussions around this in the SQUID forums. May also help to look for specific info on SQUID for the specific distro you are working with so you know the specific version that is shipped on the OS and what it supports. Until recently the easiest way to get ICAP working on SQUID was to compile it from source with the required modules.


                Hope this helps.


                on 10/12/13 21:11:11 GMT
                • 5. Re: SQUID+ NDLP Prevent

                  Hi mdnramos


                  Thanks for your advise.

                  We had success with Squid 3.1.19 and NDLP Prevent 9.3 Virtual Appliance.

                  But ICAP work properly only if user authentification on Squid is disabled.

                  When user auth. is enabled I received "ICAP Server Error".


                  For customer authentification is critical.


                  Can you provide some instructions how I can enable Squid & Prevent with user authentification enabled?




                  Ifo about Squid


                  >>>> # squid -v

                  >>>> Squid Cache: Version 3.1.19

                  >>>> configure options:  '--prefix=/usr' '--build=i686-pc-linux-gnu'

                  >>>> '--host=i686-pc-linux-gnu''--mandir=/usr/share/man'

                  >>>> '--infodir=/usr/share/info''--datadir=/usr/share' '--sysconfdir=/etc'

                  >>>> '--localstatedir=/var/lib''--disable-dependency-tracking'

                  >>>> '--sysconfdir=/etc/squid''--libexecdir=/usr/libexec/squid'

                  >>>> '--localstatedir=/var''--with-pidfile=/var/run/squid.pid'

                  >>>> '--datadir=/usr/share/squid''--with-logdir=/var/log/squid'

                  >>>> '--with-default-user=squid''--enable-auth=basic,digest,negotiate,ntlm'

                  >>>> '--enable-removal-policies=lru,heap'




                  >>>> '--enable-ntlm-auth-helpers=fakeauth'

                  >>>> '--enable-negotiate-auth-helpers='

                  >>>> '--enable-useragent-log''--enable-cache-digests'

                  >>>> '--enable-delay-pools'

                  >>>> '--enable-referer-log''--enable-arp-acl' '--with-large-files'

                  >>>> '--with-filedescriptors=8192''--disable-strict-error-checking'

                  >>>> '--without-libcap' '--disable-ipv6''--disable-snmp' '--enable-ssl'

                  >>>> '--enable-icap-client' '--disable-ecap''--disable-zph-qos'

                  >>>> '--disable-mit' '--disable-heimdal''--enable-storeio=ufs,diskd,aufs'

                  >>>> '--enable-linux-netfilter''--disable-linux-tproxy' '--enable-epoll'

                  >>>> 'build_alias=i686-pc-linux-gnu''host_alias=i686-pc-linux-gnu'

                  >>>> 'CC=i686-pc-linux-gnu-gcc''CFLAGS=-march=native -O2 -pipe

                  >>>> -fomit-frame-pointer' 'LDFLAGS=-Wl,-O1-Wl,--as-needed'

                  >>>> 'CXXFLAGS=-march=native -O2 -pipe-fomit-frame-pointer'



                  Message was edited by: vrad on 12/16/13 2:40:55 AM CST
                  • 6. Re: SQUID+ NDLP Prevent

                    Hi vrad,


                    Are you able to post your squid config here? Obviously you may omit any parts that may be sensitive, but I would be particularly interested in the authentication and ICAP sections.

                    • 7. Re: SQUID+ NDLP Prevent

                      Here is my config:



                      # OPTIONS FOR AUTHENTICATION

                      # -----------------------------------------------------------------------------


                      auth_param basic program /usr/libexec/squid/squid_ldap_auth \

                        -R -b "DC=test,DC=com" -D "xxx@test.com" -w passw0rd -f "sAMAccountName=%s"



                      # ACCESS CONTROLS

                      # -----------------------------------------------------------------------------


                      external_acl_type active_directory_group ttl=900 %LOGIN /usr/libexec/squid/squid_ldap_group \

                        -R -b "DC=test,DC=com" -D "xxx@test.com" -w passw0rd \

                        -f "(&(sAMAccountName=%u)(memberOf=CN=%g,OU=Proxy,OU=Internet Services,DC=test,DC=com))"



                      acl manager proto cache_object

                      acl localhost src

                      acl to_localhost dst


                      acl SSL_ports port 443

                      acl Safe_ports port 80

                      acl Safe_ports port 21

                      acl Safe_ports port 443

                      acl Safe_ports port 70

                      acl Safe_ports port 210

                      acl Safe_ports port 1025-65535

                      acl Safe_ports port 280

                      acl Safe_ports port 488

                      acl Safe_ports port 591

                      acl Safe_ports port 777

                      acl Safe_ports port 901

                      acl CONNECT method CONNECT


                      acl dummy src


                      acl allowed_sites dstdomain "/etc/squid/lists/allowed_sites"

                      acl blocked_files urlpath_regex -i "/etc/squid/lists/blocked_files"

                      acl blocked_sites dstdom_regex  -i "/etc/squid/lists/blocked_sites"


                      acl ad_proxy_users external active_directory_group Proxy_Users


                      acl ad_speed_128k external active_directory_group speed_128k

                      acl ad_speed_256k external active_directory_group speed_256k


                      acl ad_allowed_sites external active_directory_group allowed_sites

                      acl ad_blocked_files external active_directory_group blocked_files

                      acl ad_blocked_sites external active_directory_group blocked_sites



                      http_access allow manager localhost

                      http_access deny  manager


                      http_access deny !Safe_ports

                      http_access deny CONNECT !SSL_ports

                      http_access deny to_localhost


                      http_access deny ad_speed_128k dummy

                      http_access deny ad_speed_256k dummy


                      http_access deny ad_blocked_files blocked_files

                      http_access deny ad_blocked_sites blocked_sites


                      http_access allow ad_proxy_users


                      http_access allow ad_allowed_sites allowed_sites


                      http_access deny all



                      # NETWORK OPTIONS

                      # -----------------------------------------------------------------------------






                      # DISK CACHE OPTIONS

                      # -----------------------------------------------------------------------------


                      cache_dir aufs /var/cache/squid 32768 64 256



                      # LOGFILE OPTIONS

                      # -----------------------------------------------------------------------------


                      access_log /var/log/squid/access.log



                      # OPTIONS FOR TUNING THE CACHE

                      # -----------------------------------------------------------------------------


                      acl QUERY urlpath_regex cgi-bin \?

                      cache deny QUERY


                      acl FTP proto FTP

                      cache deny FTP


                      cache deny blocked_files



                      # DELAY POOL PARAMETERS

                      # -----------------------------------------------------------------------------


                      delay_pools 2


                      delay_class 1 2

                      delay_class 2 2


                      delay_access 1 allow ad_speed_128k

                      delay_access 1 deny all

                      delay_access 2 allow ad_speed_256k

                      delay_access 2 deny all


                      delay_parameters 1 128000/128000 16000/16000

                      delay_parameters 2 256000/256000 32000/32000




                      # -----------------------------------------------------------------------------


                      server_persistent_connections off



                      # ICAP OPTIONS

                      # -----------------------------------------------------------------------------


                      icap_enable on


                      #icap_preview_size 128

                      #icap_send_client_ip on

                      #icap_send_client_username on


                      icap_service service_req reqmod_precache bypass=on icap://



                      # MESSAGE ADAPTATION OPTIONS

                      # -----------------------------------------------------------------------------


                      adaptation_access service_req allow all

                      • 8. Re: SQUID+ NDLP Prevent

                        Hi Mdnramos, hi everybody!


                        Any ideas how to get result with Squid 3.1.19 and enabled user authentification ?