Re: [squid-users] redirecting unauthenticated users from Amos Jeffries on 2009-04-26 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 27 Apr 2009 12:57:34 +1200 (NZST)

>
> Hi,
>
> I have a question. I'd like to have squid configured for the following:
>
> - User opens browser (with squid proxy configured) and gets redirected to
> a
> login page
> - The browser prompts asks for a proxy username/ password.
> - if the user provided a good username/password, he/she can click on an
> icon
> to get redirected to the original requested page.
>
> squid.conf (using version 2.7stable5) part:
>
> acl all src all
> acl freesites dstdomain login.mydomain.local
> acl AuthUsers proxy_auth REQUIRED
>
> http_access allow all
> # process redirector program between http_access and
> http_access2,
> # result depends on the fact if a username exists.
> http_access2 allow freesites
> http_access2 allow AuthUsers
> http_access2 deny all
>
> Problem is that this way the redirector program never gets any username
> passed although the user is asked for a user/pass.
>
> This works partially (username gets passed):
>
> http_access allow AuthUsers
> # -> process redirector program between http_access and http_access2
> http_access2 allow all
>
> But now I can't redirect to a nice welcome page before the
> username/password
> prompt...
>
>
> Please someone help.
>
> Many thanks.
>
> Philippe
>

You have a conceptual problem here.

What you are attempting to do is get the browser to authenticate against
the proxy by sending authentication details to a web server somewhere
else.

What you need instead is one of two captive portal solutions:

1) authenticate against the proxy directly, no fuss.

  http_access allow freesites
  http_access deny !AuthUsers
  http_access deny all

2) use an external_acl_type helper to perform side-band authentication
based on IP using details gathered from the website login.

external_acl_type foo ...
acl AuthsUsers external foo

  http_access allow freesites
  http_access allow AuthUsers
  deny_info http://login.mydomain.local all
  http_access deny all

(2) has cons in that it assumes you are able to create a working auth
scheme where experts often fail. Also that every visitor has a unique
IP/headers (no sharing, no NAT) and forgery is ignored.

Amos
Received on Sun Apr 26 2009 - 23:57:31 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 28 2009 - 12:00:02 MDT