RE: [squid-users] I want NO login dialog when a user is unauthenticated (if its possible..)

From: Chris Robertson <crobertson@dont-contact.us>
Date: Thu, 7 Jul 2005 14:50:55 -0800

> -----Original Message-----
> From: Matte Nilsson [mailto:condmaster@hotmail.com]
> Sent: Thursday, July 07, 2005 5:30 AM
> To: squid-users@squid-cache.org
> Cc: matte@holmenpaper.com
> Subject: [squid-users] I want NO login dialog when a user is
> unauthenticated (if its possible..)
>
>
> Hello!
>
> I run a squid/2.5.STABLE10 in a 1000 user enviroment on a SUSE SLES9 server
> with Samba 3.0.9 configured for MS AD.
>
> Everything works just fine with the group authenication against MS AD. But
> my problem is that when users without Internet Access Try to access the
> internet the login dialog appears, and its like a closed door to a cat -
> they are trying other peoples accounts, and lock them out.
>
> So my question is.. Are there any way to disable the login dialog for users
> with no internet access??
> Here is my squid.conf:
>
>
> http_port 10.52.5.201:8080
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> log_fqdn on
> client_netmask 255.255.255.255
> dns_nameservers 10.52.17.201 10.52.17.202
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> --require-membership-of=S-1-5-21-1187005629-1892371507-1230779191-4288
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
>
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> --require-membership-of=S-1-5-21-1187005629-1892371507-1230779191-4288
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> #*********************************************************************
> acl InternetAccess proxy_auth REQUIRED
> #*********************************************************************
> acl special_url url_regex -i "/usr/local/squid/etc/open_sites.txt"
> #*********************************************************************
> http_access allow special_url
> http_access allow InternetAccess
> #*********************************************************************
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object HTTP
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80
> acl Safe_ports port 2001
> acl Safe_ports port 3001
> acl Safe_ports port 21
> acl Safe_ports port 443 563
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl CONNECT method CONNECT

Remove the "auth_param basic" lines. No more authentication pop-up. Otherwise, prevent the workstations that people without internet access use from accessing the proxy at all. Third option, use wbinfo_group.pl to separate those that have internet access from those that don't. A setup guide of unknown accuracy is available at http://www.flatmtn.com/computer/Linux-SquidNT.html#Squid-4

Chris
Received on Thu Jul 07 2005 - 16:50:56 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Aug 01 2005 - 12:00:02 MDT