RE: [squid-users] redirecting unauthenticated users

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 28 Apr 2009 13:05:57 +1200 (NZST)

> Hi Amos,
>
> Thanks very very much for your help. I'm not really trying to authenticate
> to an external web site, only Squid is involved.
>
> What I'm trying to do is:
>
> 1 http_access allow all
> # redirector program
> 2 http_access2 allow freesites
> 3 http_access2 allow AuthUsers
> 4 http_access2 deny all
>
> - User opens browser. (no auth yet)
> - Homepage tries to load, redirector sees no username => redirect to
> welcome
> page (+ link to google), allowed by acl 2
> - User clicks on the external link => not in acl 2, but allowed by acl 3
> =>
> Squid asks for auth
> - User enters user+pass in browser (proxy-auth), validated by Squid. Squid
> has now a valid username and password.
>
> So far, so good. This all works fine.
> - now every next page should pass the redirector as this
>
> Problem:
> Due to acl 1, Squid doesn't pass a username to the rewriter program and
> even
> after a succesfull auth, the redirector keeps redirecting to the welcome
> page due to the missing username.
> If I put acl 3 before the redirector, Squid nicely sends the username with
> the requested url.
>
>
> Can this be resolved?

Yes. By using the right settings in the right way.

 * Url-rewriter only needs URL. So that is all squid guarantees it.
 * Other details may or may not exist based on whether squid has any
reason to require their use beforehand.
 * http_access2 _after_ the re-writer is the first place squid needs the
login details. They are fetched at that point.

Drop the redirector and http_access2 entirely and use this:

 acl noAuth src all
 acl AuthUsers proxy_auth REQUIRED

 http_access allow freesites
 http_access allow AuthUsers
 deny_info http://login.mydomain.local/?referer=%s noAuth
 http_access deny !AuthUsers noAuth
 http_access deny all

What that does, is allow freesites and authenticated users through
immediately.
For non-authenticated users it redirects them to the login page at
http://login.mydomain.local/ with a query parameter 'referer' containing
the original URL requested.

Amos

> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Monday, April 27, 2009 02:58
> To: Philippe Boeij
> Cc: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] redirecting unauthenticated users
>
>>
>> Hi,
>>
>> I have a question. I'd like to have squid configured for the following:
>>
>> - User opens browser (with squid proxy configured) and gets redirected
>> to a login page
>> - The browser prompts asks for a proxy username/ password.
>> - if the user provided a good username/password, he/she can click on
>> an icon to get redirected to the original requested page.
>>
>> squid.conf (using version 2.7stable5) part:
>>
>> acl all src all
>> acl freesites dstdomain login.mydomain.local
>> acl AuthUsers proxy_auth REQUIRED
>>
>> http_access allow all
>> # process redirector program between http_access and
>> http_access2,
>> # result depends on the fact if a username exists.
>> http_access2 allow freesites
>> http_access2 allow AuthUsers
>> http_access2 deny all
>>
>> Problem is that this way the redirector program never gets any
>> username passed although the user is asked for a user/pass.
>>
>> This works partially (username gets passed):
>>
>> http_access allow AuthUsers
>> # -> process redirector program between http_access and http_access2
>> http_access2 allow all
>>
>> But now I can't redirect to a nice welcome page before the
>> username/password prompt...
>>
>>
>> Please someone help.
>>
>> Many thanks.
>>
>> Philippe
>>
>
> You have a conceptual problem here.
>
> What you are attempting to do is get the browser to authenticate against
> the
> proxy by sending authentication details to a web server somewhere else.
>
> What you need instead is one of two captive portal solutions:
>
> 1) authenticate against the proxy directly, no fuss.
>
> http_access allow freesites
> http_access deny !AuthUsers
> http_access deny all
>
>
> 2) use an external_acl_type helper to perform side-band authentication
> based on IP using details gathered from the website login.
>
> external_acl_type foo ...
> acl AuthsUsers external foo
>
> http_access allow freesites
> http_access allow AuthUsers
> deny_info http://login.mydomain.local all
> http_access deny all
>
>
> (2) has cons in that it assumes you are able to create a working auth
> scheme
> where experts often fail. Also that every visitor has a unique IP/headers
> (no sharing, no NAT) and forgery is ignored.
>
> Amos
>
>
>
Received on Tue Apr 28 2009 - 00:05:54 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 28 2009 - 12:00:02 MDT