[squid-users] Access based on auth and referer

[Dott. Matteo Savatteri]

Hello fellow Squid users,

we use Squid 3.5 at my company and we want to give access to all sites 
to authenticated users. If a user is not authenticated we need to allow 
only HTTP/S requests that present a referer header matching a regex. Is 
this even possible?

I have tried a combination of proxy_auth and referer_regex ACLs with no 
results. sslbump is working.

This is a snippet from my conf:


# example regex to be substituted by a regex list
acl myreferer referer_regex -i ^https://www.example.com/
acl password proxy_auth REQUIRED
acl all src
acl manager proto cache_object
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow CONNECT
http_access allow myreferer
http_access allow password
http_access deny all


Using this configuration the requests are correctly filtered based on 
regex, but the proxy does not ask for auth credentials when the regex is 
not matched. If I put  "http_access allow password" above "http_access 
allow CONNECT" like this:


[...]

http_access deny CONNECT !SSL_ports

http_access allow password

http_access allow CONNECT

[...]


the proxy asks for auth for each request not matching the referer regex 
and the anonymous users are bothered.

I have read the docs but i have not found an answer. Please, help me.

Thank you for your kindness,

--
Matteo Savatteri