[squid-users] Authentification LDAP Exception for IP adresse

[Jérôme Seuniac]

Hi,


I’m Jerome and I m a novice with squid.

With the documentation and the FAQ, I managed to create a LDAP authentification.

Now I want to create an exception for 2 IP addresses.

I did a search in the FAQ but I don’t understand how I can do this


This is my squid.conf :





#HOSTNAME PROXY

visible_hostname proxy_dsi



#PORT D ECOUTE

http_port 8080



# Authentification LDAP



auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "XXXXX"
-D "CN=XXXi,OU=XXXX,OU=XXXX,OU=XXX,DC=XXX,DC=XXXX,DC=XXX" -w "SQUID42"
-f sAMAccountName=%s -h 192.168.1.11

auth_param basic children 30

auth_param basic realm Merci de saisir vos identifiants AD6

auth_param basic credentialsttl 1 hours



# Gestion des groupes AD d'appartenance

external_acl_type ldap_group %LOGIN /usr/lib/squid3/ext_ldap_group_acl
-R -b "DC=R06,DC=AN,DC=CNAV" -D
"CN=proxydsi,OU=InfraReseaux,OU=_ComptesTechniques,OU=_UtilisateursSpecifiques,OU=_Administration,OU=_06-Lyon,DC=R06,DC=AN,DC=CNAV"
-w "5quid4DSI@" -f "(&(objectclass=person)
(sAMAccountname=%v)(memberof=CN=r06_gl_ProxyDSI,OU=InfraReseaux,OU=DSI,OU=_AccesApplications,OU=_RessourcesRegionales,OU=_Groupes,OU=_Administration,OU=_06-Lyon,DC=R06,DC=AN,DC=CNAV))"
-h 50.50.99.11



# Cet appel se fait comme une fonction, acl ACL_NAME external
ldap_group Le_Nom_Du_Groupe_A_chercher

acl AD_USER external ldap_group r06_gl_ProxyDSI



acl ldap-auth proxy_auth REQUIRED

acl ldap-group external ldap_group PROXY_ALLOWED



http_access deny !ldap-group

http_access deny !ldap-auth

http_access allow all



#RESEAU AUTORISE

acl VLan_etage src 192.168.1.0/24



# PORTS AUTORISES

acl SSL_ports port 443

acl ports_ouverts port 80

acl ports_ouverts port 443

acl ports_ouverts port 21

acl ports_ouverts port 25

acl ports_ouverts port 110

acl ports_ouverts port 143

acl ports_ouverts port 5074

acl ports_ouverts port 7016

acl ports_ouverts port 8010

acl CONNECT method CONNECT



# We recommend you to use at least the following line.

hierarchy_stoplist cgi-bin ?



# Leave coredumps in the first cache dir

coredump_dir /var/spool/squid



# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320



# REDIRECTION SQUIDGUARD

redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf

redirect_children 50



#Configuration pour l'envoie de l'adresse IP & Nom a C-ICAP



icap_enable on

icap_send_client_ip on

icap_send_client_username on

icap_client_username_header X-Authenticated-User



#Cette partie permet de définir le comportement de c-icap



icap_service service_req reqmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav

adaptation_access service_req allow all

icap_service service_resp respmod_precache bypass=1
icap://127.0.0.1:1344/squidclamav

adaptation_access service_resp allow all



cache_mem 1333 MB

minimum_object_size 3 KB

maximum_object_size 2000 MB

cache_access_log /var/log/squid3/access.log

cache_log /var/log/squid3/cache.log

cache_store_log /var/log/squid3/store.log



# Information communiquées dans les headers HTTP

forwarded_for off


-- 
Cordialement,
Seuniac Jérôme.