[squid-users] Squid ACL, SSL-BUMP and authentication questions
squid-list
squid at visolve.com
Fri Nov 7 07:35:42 UTC 2014
Hi,
*
**"Access to google maps(https://www.google.com/maps) should prevent any
authentication need"*
I could understand that all users should be able to access the google
maps link without any authentication. For this you could add the site
acl before the authentication part in the squid conf. So that users will
not prompt for the authentication when the user try to access the google
map site. But when they try to access any other site authentication will
be prompted.
(i.e)
acl GoogleMaps url_regex -i ^https://www.google.com/maps*.
acl allow GoogleMaps all
auth_param basic children 5
auth_param basic realm Welcome to Our Website!
auth_param basic program /usr/lib64/squid/basic_ncsa_auth
/etc/squid/squid_user
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
....
....
I am not clear about the remaining part of the content.
Regards,
ViSolve Squid
On 11/07/2014 08:55 AM, squid at icshk.com wrote:
>
> Hello all,
>
> As our company policy only allow some machines to access to some SSL
> website URL(eg. https://www.google.com/maps). However, they do not
> have access to https://www.google.com/ Before, we tried to implement
> authentication, everything works fine. We try to allow https access to
> https://www.google.com/maps and “CONNECT” request to www.google.com
> <http://www.google.com> using SSL bump. Now, I want to preserve this
> config, and let user to authenicate to access to any website. Access
> to google maps(https://www.google.com/maps) should prevent any
> authentication need. However, I am not success to figure this out. I
> have tried different kinds of configuration, some will prompt for
> authentication. Some will not allow the authenticated users to access
> to https://www.google.com. From the access log, after I authenticate
> and try to access to https://www.google.com, the authentication
> information is not displayed. Seems squid do not use the
> authentication information when matching the this rule:
> “http_access allow CONNECT google”.
>
> The “CONNECT” method is success. Then, the squid will continue use no
> authentication information to process the “GET” command, causing the
> authenticated user to denied access to https://www.google.com.
>
> Can I make squid always use the authentication information if already
> authenticate ? Or any suggestion to implement this policy.
>
> Thanks.
>
> Here is an extracted version of config which should state the related
> configuration:
>
> auth_param basic children 5
>
> auth_param basic realm Welcome to Our Website!
>
> auth_param basic program /usr/lib64/squid/basic_ncsa_auth
> /etc/squid/squid_user
>
> auth_param basic credentialsttl 2 hours
>
> auth_param basic casesensitive off
>
> acl my_auth proxy_auth REQUIRED
>
> acl SSL_ports port 443
>
> acl Safe_ports port 443 # https
>
> acl CONNECT method CONNECT
>
> acl GoogleMaps url_regex -i ^https://www.google.com/maps*.
>
> acl test_net src 192.168.1.253/32
>
> acl google dstdomain www.google.com
> <http://www.google.com>
>
> http_access deny CONNECT !SSL_ports
>
> http_access allow GoogleMaps
>
> http_access allow CONNECT google
>
> http_access deny CONNECT google my_auth
>
> #http_access allow CONNECT test_net google
>
> http_access allow my_auth all
>
> http_access deny all
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141107/8c10f040/attachment.html>
More information about the squid-users
mailing list