[squid-users] Forceful Reauthentication
Amos Jeffries
squid3 at treenet.co.nz
Thu Nov 13 04:39:17 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 13/11/2014 8:27 a.m., santosh wrote:
> Hello Team,
>
> I'm trying to reauthenticate the user once he visits google as per
> this url https://workaround.org/squid-acls but it doesnt seem to
> reprompt the credentials when i access google , below are my rules
> let me know where i'm going wrong
The Tutorial is flat wrong.
>
>
> # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> #conatins acl to block sites acl bad_url url_regex
> "/etc/squid3/badsites.conf"
>
> auth_param basic program /usr/lib/squid3/squid_ldap_auth -b
> "dc=example,dc=com" -f "uid=%s" -h example.com acl ldapauth
> proxy_auth REQUIRED acl reauth dstdomain .google.co.in http_access
> deny bad_url http_access allow ldapauth
The above line says that if they authenticate they are in. No matter what.
The following line will never be tested.
> http_access deny reauth ldapauth http_access deny all
>
Lets go back to the Squid FAQ, which that tutorial apparently was
trying to re-write ...
<wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F>
It lists a particular sequence of ACL tests:
1. http_access deny google !google_users
2. http_access allow my_auth
3. http_access deny all
line 1 tests for google and requires authentication challenge if they
are a) un-authenticated, or b) using "wrong" user accounts.
line 2 checks authentication and allows anyone who can login with
*any* credentials. Unauthenticated users will be challenged.
line 3 rejects anyone who cannot login at all.
Order Is Important.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUZDX1AAoJELJo5wb/XPRj9bAIAJqPgkB+jhvuKL/gj/q07Crk
mZTUuOLPep4E0/+ahGxV1xyEt3w1iAOysTa8vf8DEaJ40zHr+nRt9Oi6MGK39SNN
tURRSrDLtRkn4OtSWE0Yw9yKf4l1FJfZswAqZxh8HruF6Apr6bc3GZSya2x0qcbF
CKXTt7C7pyy/FeKdkfju3jp8spazTmpBcx/Ib6F4GIBoQXhqALh3ZluzbmV+ws4l
LzNDZ4AcPUrF41aBwkZkyvYXyAHzCmkJPBCkDNqUu37msmNye2IrA5poNWrEKWyp
6jSVvYehPLFqU3DMVhGja+blJ3GA6FYuHurR3+0kwIudGvw32c6EVZWDUyOmaug=
=waRG
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list