<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:新細明體;
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:細明體;
panose-1:2 2 5 9 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@新細明體";
panose-1:2 2 5 0 0 0 0 0 0 0;}
@font-face
{font-family:"\@細明體";
panose-1:2 2 5 9 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:細明體;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";
color:black;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=ZH-TW link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Hi,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Sorry for my poor English. I think maybe I have figure out how to do this. Seems I need to explicitly specific allow “google” for “my_auth” users.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Add this:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>http_access allow google my_auth<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>before<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>http_access allow my_auth all<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>auth_param basic children 5<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>auth_param basic realm Welcome to Our Website!<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_user<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>auth_param basic credentialsttl 2 hours<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>auth_param basic casesensitive off<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>acl my_auth proxy_auth REQUIRED<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>acl SSL_ports port 443<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>acl Safe_ports port 443 # https<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>acl CONNECT method CONNECT<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>acl GoogleMaps url_regex -i ^<a href="https://www.google.com/maps*">https://www.google.com/maps*</a>.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>acl test_net src 192.168.1.253/32<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>acl google dstdomain <a href="http://www.google.com">www.google.com</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>http_access deny CONNECT !SSL_ports<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>http_access allow GoogleMaps<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>http_access allow CONNECT google<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>http_access deny CONNECT google my_auth<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#http_access allow CONNECT test_net google<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>http_access allow google my_auth<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>http_access allow my_auth all<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>http_access deny all<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;color:windowtext'>From:</span></b><span lang=EN-US style='font-size:11.0pt;color:windowtext'> squid-users [mailto:squid-users-bounces@lists.squid-cache.org] <b>On Behalf Of </b>squid-list<br><b>Sent:</b> Friday, November 07, 2014 3:36 PM<br><b>To:</b> squid-users@lists.squid-cache.org<br><b>Subject:</b> Re: [squid-users] Squid ACL, SSL-BUMP and authentication questions<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US>Hi,<br><b><br>"Access to google maps(<a href="https://www.google.com/maps">https://www.google.com/maps</a>) should prevent any authentication need"</b><br><br>I could understand that all users should be able to access the google maps link without any authentication. For this you could add the site acl before the authentication part in the squid conf. So that users will not prompt for the authentication when the user try to access the google map site. But when they try to access any other site authentication will be prompted.<br><br>(i.e)<br> acl GoogleMaps url_regex -i ^<a href="https://www.google.com/maps*">https://www.google.com/maps*</a>.<br> acl allow GoogleMaps all<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> auth_param basic children 5<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> auth_param basic realm Welcome to Our Website!<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_user<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span lang=EN-US> auth_param basic credentialsttl 2 hours<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US> auth_param basic casesensitive off <br><br> ....<br> ....<br><br>I am not clear about the remaining part of the content.<br><br>Regards,<br>ViSolve Squid<o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US>On 11/07/2014 08:55 AM, <a href="mailto:squid@icshk.com">squid@icshk.com</a> wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US>Hello all,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>As our company policy only allow some machines to access to some SSL website URL(eg. <a href="https://www.google.com/maps">https://www.google.com/maps</a>). However, they do not have access to <a href="https://www.google.com/">https://www.google.com/</a> Before, we tried to implement authentication, everything works fine. We try to allow https access to <a href="https://www.google.com/maps">https://www.google.com/maps</a> and “CONNECT” request to <a href="http://www.google.com">www.google.com</a> using SSL bump. Now, I want to preserve this config, and let user to authenicate to access to any website. Access to google maps(<a href="https://www.google.com/maps">https://www.google.com/maps</a>) should prevent any authentication need. However, I am not success to figure this out. I have tried different kinds of configuration, some will prompt for authentication. Some will not allow the authenticated users to access to <a href="https://www.google.com">https://www.google.com</a>. From the access log, after I authenticate and try to access to <a href="https://www.google.com">https://www.google.com</a>, the authentication information is not displayed. Seems squid do not use the authentication information when matching the this rule: “http_access allow CONNECT google”.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>The “CONNECT” method is success. Then, the squid will continue use no authentication information to process the “GET” command, causing the authenticated user to denied access to <a href="https://www.google.com">https://www.google.com</a>.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Can I make squid always use the authentication information if already authenticate ? Or any suggestion to implement this policy.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Thanks.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Here is an extracted version of config which should state the related configuration:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>auth_param basic children 5<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>auth_param basic realm Welcome to Our Website!<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_user<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>auth_param basic credentialsttl 2 hours<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>auth_param basic casesensitive off<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>acl my_auth proxy_auth REQUIRED<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>acl SSL_ports port 443<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>acl Safe_ports port 443 # https<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>acl CONNECT method CONNECT<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>acl GoogleMaps url_regex -i ^<a href="https://www.google.com/maps*">https://www.google.com/maps*</a>.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>acl test_net src 192.168.1.253/32<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>acl google dstdomain <a href="http://www.google.com">www.google.com</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>http_access deny CONNECT !SSL_ports<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>http_access allow GoogleMaps<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>http_access allow CONNECT google<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>http_access deny CONNECT google my_auth<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>#http_access allow CONNECT test_net google<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>http_access allow my_auth all<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>http_access deny all<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-family:"新細明體",serif'><br><br><o:p></o:p></span></p><pre><span lang=EN-US>_______________________________________________<o:p></o:p></span></pre><pre><span lang=EN-US>squid-users mailing list<o:p></o:p></span></pre><pre><span lang=EN-US><a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><o:p></o:p></span></pre><pre><span lang=EN-US><a href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><o:p></o:p></span></pre></blockquote><p class=MsoNormal><span lang=EN-US style='font-family:"新細明體",serif'><o:p> </o:p></span></p></div></body></html>