<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<b><br>
</b><b><span style="color:black" lang="EN-US">"Access to google
maps(<a moz-do-not-send="true"
href="https://www.google.com/maps">https://www.google.com/maps</a>)
should prevent any authentication need"</span></b><br>
<br>
I could understand that all users should be able to access the
google maps link without any authentication. For this you could add
the site acl before the authentication part in the squid conf. So
that users will not prompt for the authentication when the user try
to access the google map site. But when they try to access any other
site authentication will be prompted.<br>
<br>
(i.e)<br>
<span style="color:black" lang="EN-US">acl
GoogleMaps url_regex -i
^<a class="moz-txt-link-freetext" href="https://www.google.com/maps*">https://www.google.com/maps*</a>.<br>
acl allow </span><span style="color:black" lang="EN-US">GoogleMaps</span>
all<br>
<br>
<p class="MsoNormal"><span style="color:black" lang="EN-US">
auth_param basic children 5<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">
auth_param basic realm Welcome to Our Website!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">
auth_param basic program /usr/lib64/squid/basic_ncsa_auth
/etc/squid/squid_user<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">
auth_param basic credentialsttl 2 hours<o:p></o:p></span></p>
<span style="color:black" lang="EN-US"> auth_param basic
casesensitive off</span> <br>
<br>
....<br>
....<br>
<br>
I am not clear about the remaining part of the content.<br>
<br>
Regards,<br>
ViSolve Squid<br>
<br>
<div class="moz-cite-prefix">On 11/07/2014 08:55 AM, <a class="moz-txt-link-abbreviated" href="mailto:squid@icshk.com">squid@icshk.com</a>
wrote:<br>
</div>
<blockquote cite="mid:002901cffa3a$7f1eb600$7d5c2200$@icshk.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:\65B0\7D30\660E\9AD4;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@\65B0\7D30\660E\9AD4";
panose-1:2 2 5 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
/* Page Definitions */
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:black" lang="EN-US">Hello
all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">As
our company policy only allow some machines to access to
some SSL website URL(eg. <a moz-do-not-send="true"
href="https://www.google.com/maps">https://www.google.com/maps</a>).
However, they do not have access to <a
moz-do-not-send="true" href="https://www.google.com/">https://www.google.com/</a>
Before, we tried to implement authentication, everything
works fine. We try to allow https access to
<a class="moz-txt-link-freetext" href="https://www.google.com/maps">https://www.google.com/maps</a> and “CONNECT” request to <a
moz-do-not-send="true" href="http://www.google.com">www.google.com</a>
using SSL bump. Now, I want to preserve this config, and let
user to authenicate to access to any website. Access to
google maps(<a moz-do-not-send="true"
href="https://www.google.com/maps">https://www.google.com/maps</a>)
should prevent any authentication need. However, I am not
success to figure this out. I have tried different kinds of
configuration, some will prompt for authentication. Some
will not allow the authenticated users to access to <a
moz-do-not-send="true" href="https://www.google.com">https://www.google.com</a>.
From the access log, after I authenticate and try to access
to <a moz-do-not-send="true" href="https://www.google.com">https://www.google.com</a>,
the authentication information is not displayed. Seems squid
do not use the authentication information when matching the
this rule: “http_access allow CONNECT
google”.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">The
“CONNECT” method is success. Then, the squid will continue
use no authentication information to process the “GET”
command, causing the authenticated user to denied access to
<a moz-do-not-send="true" href="https://www.google.com">https://www.google.com</a>.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">Can
I make squid always use the authentication information if
already authenticate ? Or any suggestion to implement this
policy.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">Thanks.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">Here
is an extracted version of config which should state the
related configuration:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">auth_param
basic children 5<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">auth_param
basic realm Welcome to Our Website!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">auth_param
basic program /usr/lib64/squid/basic_ncsa_auth
/etc/squid/squid_user<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">auth_param
basic credentialsttl 2 hours<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">auth_param
basic casesensitive off<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">acl
my_auth proxy_auth REQUIRED<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">acl
SSL_ports port 443<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">acl
Safe_ports port 443 # https<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">acl
CONNECT method CONNECT<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">acl
GoogleMaps url_regex -i
^<a class="moz-txt-link-freetext" href="https://www.google.com/maps*">https://www.google.com/maps*</a>.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">acl
test_net src 192.168.1.253/32<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">acl
google dstdomain <a
moz-do-not-send="true" href="http://www.google.com">www.google.com</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">http_access
deny CONNECT !SSL_ports<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">http_access
allow GoogleMaps<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">http_access
allow CONNECT google<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">http_access
deny CONNECT google
my_auth<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">#http_access
allow CONNECT test_net
google<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">http_access
allow my_auth all<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black" lang="EN-US">http_access
deny all<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<br>
</body>
</html>