RE: [squid-users] Forwarding request to upstream auth and proxyserver

From: Andrew Loughnan <andrewl@dont-contact.us>
Date: Fri, 23 Aug 2002 12:41:18 +1000

Does anyone how I can stop users who do not logon (we run windows 98 on the workstations) accessing the internet, as users
are not forced to login as they can press Esc key but still open IE.

-----Original Message-----
From: Henrik Nordström [mailto:hno@marasystems.com]
Sent: Thursday, 22 August 2002 8:15 AM
To: Andrew Loughnan
Cc: Squid-Users (E-mail)
Subject: Re: [squid-users] Forwarding request to upstream auth and
proxyserver

For this you probably need to configure Squid to provide a hardcoded
username+password in the cache_peer directive. See the login=...
cache_peer option.

If both proxies uses the same user database then Squid-2.5 can be
configured to "transparently" forward the proxy authentication to the
parent.

HTTP only supports one set of proxy user credentials per request. The user
cannot get two login questions.

Regards
Henrik

On Wed, 21 Aug 2002, Andrew Loughnan wrote:

>
> I have a problem that I hope can be solved. I want to be able to authenticate locally via smb_auth against our W2k domain controllers and then forward the request to our upstream proxy server where the users need to be authenticated again. I have tried all manners of different config as I think it has something to do with the "always_direct", "never_direct" rules but just playing with these gets me confused.
>
> I am runing SQUID-2.4.STABLE-6.7.3 on a Red Hat 7.3 server.
>
> We are connected to our upstream proxy via a VPN on address 10.13.144.0/23 where the internet user's get authenticated. Our internal network is on a 10.0.4.0/23.
> here is a snippet of our proxy config file I hope someone can be of assistance.
>
> http_port 8080
> cache_peer proxy parent 3128 0 default no-query
> authenticate_program /usr/lib/squid/smb_auth -W STUDENT -U 10.0.4.2
> authenticate_children 12
> acl students proxy_auth REQUIRED
> proxy_auth_realm Student Internet Authentification
>
> #Defaults:
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl cache dst 10.130.144.0/255.255.254.0
> acl localsrv src 10.0.4.1-10.0.4.49
>
> #
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 81 # http2
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> #Default configuration:
> http_access allow manager localhost
> http_access allow manager localsrv
> http_access deny !Safe_ports
> http_access deny manager
> #
> http_access allow localhost
> http_access allow localsrv
> http_access deny manager
> http_access allow students
> http_access deny all
>
>
> #$Included to allow transfer through SINA Realm
> always_direct allow students
> always_direct deny all
> #never_direct allow localnet
> #never_direct allow cache
> #never_direct allow students
> ie_refresh on
>
> Thanks
>
> Andrew Loughnan, MCP
> Computer Services Manager
> St Joseph's College
> 135 Aphrasia St
> Geelong, Victoria Australia
> 3220
> Ph +61 3 5226-8100
> DD +61 3 5226-8165
> Fax +61 3 5221-6983
> E-mail: <<mailto:andrewl@sjc.vic.edu.au>>
> WWW: <<http://www.sjc.vic.edu.au>>
>
>
Received on Thu Aug 22 2002 - 20:39:14 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:48 MST