[squid-users] different authentication for different ports
Paul Hackmann
phackmann at gmail.com
Tue Nov 21 17:08:35 UTC 2017
Amos,
That was exactly what I was looking for. I tried it and it seems to work
just like I wanted. My other alternative would have been to run 2 copies
of squid, but this is much cleaner from my perspective. Thank you very
much!
PH
On Mon, Nov 20, 2017 at 9:13 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 21/11/17 06:56, Paul Hackmann wrote:
>
>> Amos,
>>
>> If the website that is being asked for is not in the whitelist, won't it
>> fall through and ask for authentication? That is how it seems to work to
>> me. That's why I am thinking I need 2 different ports or something to do
>> what I want.
>>
>
> You do need two different ports regardless of the http_access rules. One
> for the forward/explicit proxy traffic and one for the intercept/tproxy
> traffic. The TCP IP:port details for each of those "modes" is given in
> completely different ways and the HTTP message syntax is also different so
> the *cannot* be delivered to the same ports.
>
>
> A whitelist generally is formed from two lines, one allowing and one
> denying everything else.
>
> If 'everything else' is defined as just the stuff arriving in one specific
> port you get this:
>
> http_port 3128
> http_port 3129 intercept
>
> acl portX myportname 3129
>
> http_access allow portX whitelist
> http_access deny portX
>
> http_access deny !login
> ...
>
> Amos
>
>
>
>> PH
>>
>>
>> On Mon, Nov 20, 2017 at 11:38 AM, Amos Jeffries <squid3 at treenet.co.nz
>> <mailto:squid3 at treenet.co.nz>> wrote:
>>
>> On 21/11/17 05:02, Paul Hackmann wrote:
>>
>> Hi all. I've got a fairly basic squid config set up on linux.
>> I have basic authentication set up on it to the default 3128
>> port, and it works just fine. I would like to keep this
>> configuration. However, I would like to set up another port
>> that only allows a certain whitelist of websites that doesn't
>> require or ask for authentication. I want to set this up for
>> certain apps that don't have proxy settings built into them. I
>> want windows to be able to connect to some sites, but not
>> everything and if it can't reach the site, I don't want it to
>> ask for credentials. With my current configuration, it asks for
>> credentials for any app that is trying to connect to a
>> non-whitelisted website. Is this configuration possible and do
>> you have an example? Sorry if this has been answered before, I
>> am very green to squid yet.
>>
>>
>> Simply place the http_access rules for handling that traffic above
>> the first line which requires authentication.
>>
>> http_access ... lines that dont require auth.
>>
>> acl login proxy_auth REQUIRED
>> http_access deny !login
>>
>> http_access ... rules for authenticated users.
>>
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> <mailto:squid-users at lists.squid-cache.org>
>> http://lists.squid-cache.org/listinfo/squid-users
>> <http://lists.squid-cache.org/listinfo/squid-users>
>>
>>
>>
>>
>> --
>> Paul Hackmann
>> Sims TV/Haven Electronics
>> 121 N. Vine St.
>> West Union, IA. 52175
>> 563-422-5751 <tel:(563)%20422-5751>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
--
Paul Hackmann
Sims TV/Haven Electronics
121 N. Vine St.
West Union, IA. 52175
563-422-5751
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171121/252c9f0e/attachment.html>
More information about the squid-users
mailing list