[squid-users] Squid Authentication if URL is on a Blacklist from SquidGuard

CrossfireAUT kevinmuehlparzer at hotmail.de
Fri Mar 31 08:22:11 UTC 2017 

Hello Squid-Community!

I need your help with a rather non-standard config.
My aim is as following:
-> Users that use my proxy (will deploy it via group policy in AD) should be
able to use my proxy without authentication
-> if a user invokes SquidGuard (he wants to call up a URL on my
blacklists), he should get prompted for his username and password
-> only users of the AD-group webusers should be able to continue and go to
this site on the blacklist
I know, it isn't the best way to use SquidGuard, but a customer wants it
that way.

My current config is as following:
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b
"dc=xxxx,dc=local" -D testuser at xxxx.local -W /etc/squid/squid.secrets -f
sAMAccountName=%s -h 172.30.0.36
auth_param basic children 10
auth_param basic realm xxxx
auth_param basic credentialsttl 2 hours

external_acl_type webusers %LOGIN /usr/lib/squid/ext_ldap_group_acl -b
"dc=xxxx,dc=local" -D testuser at xxxx.local -W /etc/squid/squid.secrets -f
"(&(sAMAccountName=%v)(memberOf=cn=%a,cn=Users,dc=xxxx,dc=local))" -h
172.30.0.36

authenticate_ip_ttl 1 second




acl auth proxy_auth REQUIRED
acl no_webusers dstdomain .xxxx.at
acl ldapgroup_webusers external webusers webusers

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

http_access deny !auth
http_access allow no_webusers

http_access allow ldapgroup_webuser

http_access deny all

http_port 3128


url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 4




So my users get prompted for their username/passwords everytime they restart
their browser.
If they call up a domain on my blacklists, they get ACCESS DENIED.

Does anyone know how you can achieve this?
Until know, I tried really hard, thought it would be a good idea to ask the
user-list!

Regards,
Kevin



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Authentication-if-URL-is-on-a-Blacklist-from-SquidGuard-tp4681950.html
Sent from the Squid - Users mailing list archive at Nabble.com.

More information about the squid-users mailing list