Re: [squid-users] Squid Single Login Only

From: Serge Fonville <serge.fonville_at_gmail.com>
Date: Sat, 3 Sep 2011 15:09:41 +0200

Well,

Couple of questions:

How is separation done between the two proxies
Why is it required that every faculty member has its own login on the proxy
Is every user part of a domain of some sort
How do you intend to enforce that the first logon with a specific
account is the one that is actually done by a faculty member
Is the same logon used elsewhere
Do facutly members have the same subnet as students

Kind regards/met vriendelijke groet,
Serge Fonville
http://www.sergefonville.nl

Convince Google!!
They need to add GAL support on Android (star to agree)
http://code.google.com/p/android/issues/detail?id=4602

2011/9/3 rex_ray . <rex_ray_at_sify.com>:
> Hi,
>         Thanks again for your reply. Am in charge of a University
> Network providing internet access to students & faculties. Faculty
> users have their separate proxy without any content filtering.
> Students some how get their password and use it to download and surf
> porn thereby slowing the whole internet down(current setup allows
> multiple logins). Also they share these passwords with their friends.
> I inherited this setup from my predecessor in the middle of this
> month. I wanted to limit the login from a single ip only and if that
> user closes his browser tries to login from another ip he should be
> able to login. Thats why I asked the questions.
>
>
>
>
> On Sat, Sep 3, 2011 at 6:09 PM, Serge Fonville <serge.fonville_at_gmail.com> wrote:
>> Hi,
>>
>> HTTP does not support any logout feature.
>>
>> 'Normally' sessions expire.
>> Which is where the authenticate_ip_ttl  is for.
>>
>> The only alternatives I can think of is build some wrapping utility
>> arround your browser (on all clients) or use SSO so when a session
>> invalidates it automatically revalidates.
>> With the latter you can set your TTL a lot lower.
>>
>> But it will require some additional testing to check if this does not
>> decrease the browsing experience.
>>
>> For a better answer, please add information as to your actual goal
>> (the bigger picture) and what 'problem' are you trying to solve that
>> requires only one session per user.
>>
>> HTH
>>
>> Kind regards/met vriendelijke groet,
>> Serge Fonville
>> http://www.sergefonville.nl
>>
>> Convince Google!!
>> They need to add GAL support on Android (star to agree)
>> http://code.google.com/p/android/issues/detail?id=4602
>>
>>
>>
>> 2011/9/3 rex_ray . <rex_ray_at_sify.com>:
>>> Hi,
>>>         Thanks for your help. But am newbie when it comes to Squid.
>>> So could you please enlighten me on the following,
>>>
>>>> But there is no logout
>>>> So there is no way for squid to invalidate the session.
>>>
>>> Is it possible to have a logout procedure in Squid?
>>>
>>>
>>> On Sat, Sep 3, 2011 at 5:54 PM, Serge Fonville <serge.fonville_at_gmail.com> wrote:
>>>> HI,
>>>> From what I understand...
>>>> You have a login procedure for your browser.
>>>> But there is no logout
>>>> So there is no way for squid to invalidate the session.
>>>> Kind regards/met vriendelijke groet,
>>>> Serge Fonville
>>>> http://www.sergefonville.nl
>>>>
>>>> Convince Google!!
>>>> They need to add GAL support on Android (star to agree)
>>>> http://code.google.com/p/android/issues/detail?id=4602
>>>>
>>>>
>>>> 2011/9/3 rex_ray . <rex_ray_at_sify.com>
>>>>>
>>>>> I have the following doubt(or requirement) regarding Squid Proxy
>>>>> Authentication.
>>>>>
>>>>> 1. User should be able to browse from a single ip only i.e no
>>>>> concurrent logins. (Achieved this with the help
>>>>> of 'authenticate_ip_ttl' & 'max_user_ip' directives)
>>>>>
>>>>> 2. If that user closes his browser, he should be able to authenticate
>>>>> from a new ip or system. (I only get a 'Access Denied'
>>>>> message when attempting login from a new machine or ip which I guess
>>>>> results from the 'authenticate_ip_ttl' directive)
>>>>>
>>>>>  Can somebody point what am doing wrong here. Advance thanks for your
>>>>> help.
>>>>>
>>>>> My 'squid.conf' authentication related parameters are as given below,
>>>>>
>>>>> auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b
>>>>> "dc=example,dc=com" -D "cn=Manager,dc=example,dc=com" -w
>>>>> "ldapadminpass" -f "uid=%s" -h ldap.server
>>>>> auth_param basic children 5
>>>>> auth_param basic realm Squid proxy-caching web server
>>>>> auth_param basic credentialsttl 2 hours
>>>>> authenticate_ip_ttl 2 hours
>>>>> acl ip_limit max_user_ip -s 1
>>>>> acl ldapauth proxy_auth REQUIRED
>>>>> http_access deny ip_limit
>>>>> http_access allow ldapauth
>>>>> http_access deny all
>>>>
>>>>
>>>
>>
>
Received on Sat Sep 03 2011 - 13:10:09 MDT

This archive was generated by hypermail 2.2.0 : Sat Sep 03 2011 - 12:00:02 MDT