[squid-users] authorized by pcname

[Amos Jeffries]

On 13/12/20 10:44 pm, sampei02 wrote:
> Thanks for your suggestions.
> 1. In this way I should move problem to another level that is dhcp server.
> 2. My DHCP server already updates to local DNS, that is Active Directory, but Squid cannot point to this local Microsoft DNS because It’s using external DNS. I have two DNS: Microsoft DNS (AD) for resolve intranet addresses and Linux DNS (public network) to resolve Internet address. Squid uses last DNS.

Your recursive resolver (the Linux DNS) should be configured to forward 
queries about the local networks IP range(s) used by DHCP to the 
Microsoft DNS resolver.

Squid should make its queries to the Linux one and get the necessary 
information back about the clients.


> 
> When client asks url to Squid, is there way to capture the “client name” and to check the match to acl? Does It exist trusted application to integrate into Squid to make it?
> 

That depends on what type of name you are looking for and what protocols 
are available. Humans like to apply names to things and each protocol 
has its own version of one, is the situation gets complicated and messy.

As mentioned already if you can avoid having things depend on "machine 
name" it will help simplify the situation a lot.

Squid should be able to identify the IP ranges that are used by internal 
clients vs others. It can make simple denials based on the IP range.



As a last resort, there is no need to make the policy decision directly 
in squid.conf. You can have an external ACL helper that gets passed some 
details from Squid and tells Squid what to do. That helper could be 
given the URL and client IP - do a lookup in *both* DNS resolvers and 
pass back to Squid whether it is to be allowed (OK) or not (ERR).


Amos