RE: [squid-users] Forwarding request to upstream auth and proxyserver

From: Henrik Nordström <hno@dont-contact.us>
Date: Fri, 23 Aug 2002 07:09:47 +0200 (CEST)

Require authentication at the proxy.

For automatic authentication to the proxy you can use ntlm (Squid-2.5
feature). Assumes your users are logging in to a domain. Users not logged
in will be requested to log in when trying to access the Internet.

Regards
Henrik

On Fri, 23 Aug 2002, Andrew Loughnan wrote:

> Does anyone how I can stop users who do not logon (we run windows 98 on the workstations) accessing the internet, as users
> are not forced to login as they can press Esc key but still open IE.
>
>
> -----Original Message-----
> From: Henrik Nordström [mailto:hno@marasystems.com]
> Sent: Thursday, 22 August 2002 8:15 AM
> To: Andrew Loughnan
> Cc: Squid-Users (E-mail)
> Subject: Re: [squid-users] Forwarding request to upstream auth and
> proxyserver
>
>
>
> For this you probably need to configure Squid to provide a hardcoded
> username+password in the cache_peer directive. See the login=...
> cache_peer option.
>
> If both proxies uses the same user database then Squid-2.5 can be
> configured to "transparently" forward the proxy authentication to the
> parent.
>
> HTTP only supports one set of proxy user credentials per request. The user
> cannot get two login questions.
>
> Regards
> Henrik
>
>
> On Wed, 21 Aug 2002, Andrew Loughnan wrote:
>
> >
> > I have a problem that I hope can be solved. I want to be able to authenticate locally via smb_auth against our W2k domain controllers and then forward the request to our upstream proxy server where the users need to be authenticated again. I have tried all manners of different config as I think it has something to do with the "always_direct", "never_direct" rules but just playing with these gets me confused.
> >
> > I am runing SQUID-2.4.STABLE-6.7.3 on a Red Hat 7.3 server.
> >
> > We are connected to our upstream proxy via a VPN on address 10.13.144.0/23 where the internet user's get authenticated. Our internal network is on a 10.0.4.0/23.
> > here is a snippet of our proxy config file I hope someone can be of assistance.
> >
> > http_port 8080
> > cache_peer proxy parent 3128 0 default no-query
> > authenticate_program /usr/lib/squid/smb_auth -W STUDENT -U 10.0.4.2
> > authenticate_children 12
> > acl students proxy_auth REQUIRED
> > proxy_auth_realm Student Internet Authentification
> >
> > #Defaults:
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl cache dst 10.130.144.0/255.255.254.0
> > acl localsrv src 10.0.4.1-10.0.4.49
> >
> > #
> > acl SSL_ports port 443 563
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 81 # http2
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 563 # https, snews
> > acl Safe_ports port 70 # gopher
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl CONNECT method CONNECT
> >
> > #Default configuration:
> > http_access allow manager localhost
> > http_access allow manager localsrv
> > http_access deny !Safe_ports
> > http_access deny manager
> > #
> > http_access allow localhost
> > http_access allow localsrv
> > http_access deny manager
> > http_access allow students
> > http_access deny all
> >
> >
> > #$Included to allow transfer through SINA Realm
> > always_direct allow students
> > always_direct deny all
> > #never_direct allow localnet
> > #never_direct allow cache
> > #never_direct allow students
> > ie_refresh on
> >
> > Thanks
> >
> > Andrew Loughnan, MCP
> > Computer Services Manager
> > St Joseph's College
> > 135 Aphrasia St
> > Geelong, Victoria Australia
> > 3220
> > Ph +61 3 5226-8100
> > DD +61 3 5226-8165
> > Fax +61 3 5221-6983
> > E-mail: <<mailto:andrewl@sjc.vic.edu.au>>
> > WWW: <<http://www.sjc.vic.edu.au>>
> >
> >
>
Received on Thu Aug 22 2002 - 23:09:55 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:48 MST