Re: [squid-users] Using multiple auth scheme types in one squid instance?

From: Chris Robertson <crobertson@dont-contact.us>
Date: Thu, 20 Mar 2008 16:46:19 -0800

Adrian wrote:
> On Mon, Mar 17, 2008 at 9:25 PM, Amos Jeffries <squid3@treenet.co.nz> wrote:
>
>
>> Squid does not differentiate the types of auth a user has done.
>> It tries all methods its configured with (in the order configured) until
>> one succeeds. The common way to do this appears to be to use the
>> least-accepting method first and failover to the most-accepting. Or
>> vice-versa depending on the situation.
>>
>
> I want to put 'trusted' users through NTLM fakeauth so I can capture
> their usernames without bothering them with a popup auth box. For the
> 'untrusted' user subnets, I want to give them a popup box and make
> them authenticate.
>
> Since fakeauth will always pass, I can't just configure the schemes in
> succession. I was thinking of writing my own fakeauth code which
> rejected anything in my 'untrusted' IP list forcing it to the next auth
> scheme, but I don't think the IP address is passed to authenticate
> scheme by squid to check against?
>
> Any other ideas?
>
> Thanks,
> Adrian.
>

Three Squid instances. The front one (that everyone connects to)
decides which parent to use depending on src IP. Trusted users are sent
to an instance set up using fakeauth, others are sent to the third
instance which uses basic auth. The two parents don't have to do any
caching, or any logging (that can all be handled by the first instance),
but are just there to provide authentication details.

I give no guarantees of the stability or scalability of this set-up, but
it should do what you want.

Chris
Received on Thu Mar 20 2008 - 18:46:24 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT