[squid-users] Squid to ask for, but not require, authentication.
Amos Jeffries
squid3 at treenet.co.nz
Sun Jun 21 12:35:07 UTC 2015
On 22/06/2015 12:24 a.m., Graham wrote:
> I am looking for a way to configure Squid to ask for (and check)
> authentication using LDAP, but to proceed if there is no auth
> information provided.
Not possible. The process of asking for auth sends a reply to the client
request. Once that happens there is nothing further possible.
You can check for auth and continue if its missing, but when doing so
cannot ask the client to send any credentials. A secure client will not
send credentials unless asked...
>
> I have been using DansGuardian for a while with Squid authenticating and
> then getting DansGuardian to filter based on the username that Squid has
> authenticated. The browsers talk directly to DansGuardian, which talks
> to Squid, which does the work over the 'net.
>
> I am now trying to add an android device - which has some apps that
> don't ask the user for a login/password (although they do talk to the
> proxy) and therefore they fail to connect with a 407 error. I have
> modified DansGuardian to allow just this one IP to work without
> authentication, but Squid requires the auth and denies the requests. If
> I make Squid more permissive (remove the auth config) then DansGuardian
> works with that IP address, but will then block all other IP addresses
> as Squid hasn't authenticated anyone. Note that I can't do IP
> authentication from Squid because all requests come from the
> DansGuardian IP (which happens to be localhost) and it can't tell which
> ones to authenticate and which to allow.
You should be able to use something like the User-Agent header
("browser" regex ACL type) to bypass the auth requirement on a
per-request basis. This has to be done for many Java applications, for
example.
Amos
More information about the squid-users
mailing list