[squid-users] different authentication for different ports

Paul Hackmann phackmann at gmail.com
Tue Nov 21 17:08:35 UTC 2017


Amos,

That was exactly what I was looking for.  I tried it and it seems to work
just like I wanted.  My other alternative would have been to run 2 copies
of squid, but this is much cleaner from my perspective.  Thank you very
much!

PH

On Mon, Nov 20, 2017 at 9:13 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 21/11/17 06:56, Paul Hackmann wrote:
>
>> Amos,
>>
>> If the website that is being asked for is not in the whitelist, won't it
>> fall through and ask for authentication?  That is how it seems to work to
>> me.  That's why I am thinking I need 2 different ports or something to do
>> what I want.
>>
>
> You do need two different ports regardless of the http_access rules. One
> for the forward/explicit proxy traffic and one for the intercept/tproxy
> traffic. The TCP IP:port details for each of those "modes" is given in
> completely different ways and the HTTP message syntax is also different so
> the *cannot* be delivered to the same ports.
>
>
> A whitelist generally is formed from two lines, one allowing and one
> denying everything else.
>
> If 'everything else' is defined as just the stuff arriving in one specific
> port you get this:
>
>  http_port 3128
>  http_port 3129 intercept
>
>  acl portX myportname 3129
>
>  http_access allow portX whitelist
>  http_access deny portX
>
>  http_access deny !login
>  ...
>
> Amos
>
>
>
>> PH
>>
>>
>> On Mon, Nov 20, 2017 at 11:38 AM, Amos Jeffries <squid3 at treenet.co.nz
>> <mailto:squid3 at treenet.co.nz>> wrote:
>>
>>     On 21/11/17 05:02, Paul Hackmann wrote:
>>
>>         Hi all.  I've got a fairly basic squid config set up on linux.
>>      I have basic authentication set up on it to the default 3128
>>         port, and it works just fine.  I would like to keep this
>>         configuration.  However, I would like to set up another port
>>         that only allows a certain whitelist of websites that doesn't
>>         require or ask for authentication.  I want to set this up for
>>         certain apps that don't have proxy settings built into them.  I
>>         want windows to be able to connect to some sites, but not
>>         everything and if it can't reach the site, I don't want it to
>>         ask for credentials.  With my current configuration, it asks for
>>         credentials for any app that is trying to connect to a
>>         non-whitelisted website.  Is this configuration possible and do
>>         you have an example?  Sorry if this has been answered before, I
>>         am very green to squid yet.
>>
>>
>>     Simply place the http_access rules for handling that traffic above
>>     the first line which requires authentication.
>>
>>        http_access ... lines that dont require auth.
>>
>>        acl login proxy_auth REQUIRED
>>        http_access deny !login
>>
>>        http_access ... rules for authenticated users.
>>
>>
>>     Amos
>>     _______________________________________________
>>     squid-users mailing list
>>     squid-users at lists.squid-cache.org
>>     <mailto:squid-users at lists.squid-cache.org>
>>     http://lists.squid-cache.org/listinfo/squid-users
>>     <http://lists.squid-cache.org/listinfo/squid-users>
>>
>>
>>
>>
>> --
>> Paul Hackmann
>> Sims TV/Haven Electronics
>> 121 N. Vine St.
>> West Union, IA. 52175
>> 563-422-5751 <tel:(563)%20422-5751>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Paul Hackmann
Sims TV/Haven Electronics
121 N. Vine St.
West Union, IA. 52175
563-422-5751
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171121/252c9f0e/attachment.html>


More information about the squid-users mailing list