Re: [squid-users] Problem with transparent authentication and restricted pages

From: Gonzalo Morera <gmorera_at_novell.com>
Date: Tue, 01 Feb 2011 08:50:27 +0000

 Thanks Amos

I'm pretty new to squid and trying to catch up as fast as i can but still some of your statement are difficult for me to understand.

What i posted are all the http rules i've got. Everything works fine, except for this little issue with the IPUser.
When a user with novell client tries to access a page and it is not a restricted, it is authenticate transparently and page is displayed. When a user with no novell client request a page, browser present the auth page and after enter username/pass, page is served or denied. Up here is fine.
Now the remaining issue is when an IPUser request a banned page, instead to get the deny message, it get the auth page to introduce username/password. This is what i want to change, just send the forbidden.
I've tried Chad suggestion but i still can not make it work. This is how it looks my squid.conf.

auth_param basic program /usr/sbin/squid_ldap_auth -Z -D cn=xxxx,o=laboratorio -w xxxx -b o=laboratorio -s sub -f "(&(objectclass=User)(cn=%s))" -h 192.168.0.205 -p 389
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

#
external_acl_type IPUser ttl=7200 %SRC /etc/squid/squid_edir_iplookup.pl
#
external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -Z -D "cn=xxxx,o=laboratorio" -w "xxxx" -b "o=laboratorio" -s sub -f "(&(objectClass=Person)(cn=%u)(groupMembership=cn=%g,ou=servicios,ou=gye,o=laboratorio))" -h 192.168.0.205 -p 389

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

acl Auth_Not_Required src "/etc/squid/auth_not_required.txt"

# Domains accessible to all PC's

acl Open_Domains url_regex -i "/etc/squid/open_domains.txt"

# Hosts & domains that are denied to restricted users

acl Banned_URLs url_regex -i "/etc/squid/banned_urls.txt"

# Seemless automatic access based on IP address
# Access through the "IP User" external helper
acl Full_Access external IPUser internet_nr
acl Restricted_Access external IPUser internet_r

# Access to users prompted with username/password dialogue
# Full access
acl lab_Full external ldap_group internet_nr

# Restricted access
acl lab_Restricted external ldap_group internet_r

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# Domains free to all users without needing to authenticate.
http_access allow Open_Domains
# IP addresses of hosts that don?t need to authenticate (usually automation hosts #performing automated downloads and without a Novell client.
http_access allow Auth_Not_Required
# Let users with full Internet access discovered by the IPUser method go anywhere.
http_access allow Full_Access

# Let users with restricted Internet access discovered by the IPUser method go #anywhere except for the ban list
http_access allow Restricted_Access !Banned_URLs

# If the IPUser method fails then we need to revert to username/password #authentication
# Let users with full access who entered username/password go anywhere
http_access allow lab_Full
# Ban list again
http_access deny Banned_URLs

# Let users with restricted access who entered username/password go anywhere (that # hasn?t been already excluded in the ban list).
http_access allow lab_Restricted
#
# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all

# and finally allow by default
http_reply_access allow all

I'm sure i'm doing something wrong and probably rearranging the rule order may help, just i can not figure out how. I'm still learning how control rules are implemented in squid

Thanks a lot for nay help you may provide

Gonzalo
 
>>> Amos Jeffries <squid3_at_treenet.co.nz> 1/2/2011 12:40 AM >>>

You have presented the settings for IPUser ACL but have omitted the ones
for ldap_group ACL. I suspect you have cut-n-pasted one of the common
examples for group lookup which rely on full client credentials
authentication.

Note that external ACL does not produce full-blown authentication
credentials (yet). So they are not used for %LOGIN group checking. You need
to use %EXT_USER instead and you do not have access to the external ACL
password.

Check this, but I expect you may find that the way you have defined the
IPUser ACL lines the helper gets passed "<src-IP> <group-name>" so you can
do the full check in one step in the handler script with a single
allow/block result.

Amos
Received on Tue Feb 01 2011 - 08:50:36 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST