[squid-users] Squid to ask for, but not require, authentication.

Graham gcsquid-users at crowie.net
Mon Jun 22 11:56:18 UTC 2015 

Thanks for the reply.

I monitored the data between dansguardian and squid and there is 
basically nothing there. Dansguardian seems to only pass on the URL in 
its default config - and strips out everything else, including the 
User-Agent header.

I had a read and found that I can turn on the X-Forwarded-For headers in 
DansGuardian with the following two lines
forwardedfor = on
usexforwardedfor = on

I was then able to see the client's IP in the TCP stream between 
DansGuardian and Squid.

Then, in squid.conf, I added the following two lines (I suspect that the 
second one is not needed)
follow_x_forwarded_for allow localhost
acl_uses_indirect_client on

And then all ACL queries used the original client address, rather than 
the DansGuardian proxy address. This made all my rules work (and has 
enabled a few other things, such as logging in Squid that tells me the 
client's IP address correctly).

So, all is working now. Thank you for pointing me at the HTTP headers, 
it was exactly where I needed to look.


Thanks

GC



On 21/06/2015 10:35 PM, Amos Jeffries wrote:
> On 22/06/2015 12:24 a.m., Graham wrote:
>> I am looking for a way to configure Squid to ask for (and check)
>> authentication using LDAP, but to proceed if there is no auth
>> information provided.
> Not possible. The process of asking for auth sends a reply to the client
> request. Once that happens there is nothing further possible.
>
> You can check for auth and continue if its missing, but when doing so
> cannot ask the client to send any credentials. A secure client will not
> send credentials unless asked...
>
>> I have been using DansGuardian for a while with Squid authenticating and
>> then getting DansGuardian to filter based on the username that Squid has
>> authenticated. The browsers talk directly to DansGuardian, which talks
>> to Squid, which does the work over the 'net.
>>
>> I am now trying to add an android device - which has some apps that
>> don't ask the user for a login/password (although they do talk to the
>> proxy) and therefore they fail to connect with a 407 error. I have
>> modified DansGuardian to allow just this one IP to work without
>> authentication, but Squid requires the auth and denies the requests. If
>> I make Squid more permissive (remove the auth config) then DansGuardian
>> works with that IP address, but will then block all other IP addresses
>> as Squid hasn't authenticated anyone. Note that I can't do IP
>> authentication from Squid because all requests come from the
>> DansGuardian IP (which happens to be localhost) and it can't tell which
>> ones to authenticate and which to allow.
> You should be able to use something like the User-Agent header
> ("browser" regex ACL type) to bypass the auth requirement on a
> per-request basis. This has to be done for many Java applications, for
> example.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list