Re: [squid-users] Squid with LDAP-authentication: bypass selected URLs

2016-03-31 Thread Verwaiser 
Hello Fred,

as written above, I inserted the statements:

> Ok, I tried to insert a the acl in auth_param block as you described:
>
> acl pdfdoc dstdomain webgate.ec.europa.eu
> http_access allow password !pdfdoc   #replacing  http_access
> allow password
> http_access allow pdfdoc

no success



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-with-LDAP-authentication-bypass-selected-URLs-tp4676689p4676867.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with LDAP-authentication: bypass selected URLs

2016-03-29 Thread FredB 

> 
> auth_param basic program /usr/sbin/squid_ldap_auth -b T=MYDOMAIN -f
> "uid=%s"
> -s sub -h 192.168.1.1 acl password
> auth_param basic children 10
> auth_param basic realm Internetzugang im VERWALTUNGSNETZ FAL-BK:
> Bitte mit
> den Daten aus diesem Netzwerk anmelden!
> acl password proxy_auth REQUIRED
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off

> http_access allow password -->  http_access allow password !my acl 
> should be here, with the right acl just before

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with LDAP-authentication: bypass selected URLs

2016-03-29 Thread Verwaiser 
Hello Fred,
thank you for your help!

Ok, I tried to insert a the acl in auth_param block as you described:

acl pdfdoc dstdomain webgate.ec.europa.eu
http_access allow password !pdfdoc
http_access allow pdfdoc

but no success was shown using the pdf-doc.
Then: Testing access to webgate.ec.europa.eu in browser squid asked me for a
password as usual.




Here my squid.conf in actual state (the file w7akt has some adresses for
novell and for w7-activation):

## Start

acl alle src 0.0.0.0/0.0.0.0
acl w7aktivierung dstdomain "/etc/squid/w7akt"
http_access allow w7aktivierung alle

acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
acl wuCONNECT dstdomain novell.com
acl wuCONNECT dstdomain docs.live.net
acl wuCONNECT dstdomain d.docs.live.net

acl port_443 port 443
http_access allow CONNECT port_443

http_access allow CONNECT wuCONNECT

auth_param basic program /usr/sbin/squid_ldap_auth -b T=MYDOMAIN -f "uid=%s"
-s sub -h 192.168.1.1 acl password
auth_param basic children 10
auth_param basic realm Internetzugang im VERWALTUNGSNETZ FAL-BK: Bitte mit
den Daten aus diesem Netzwerk anmelden!
acl password proxy_auth REQUIRED
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
http_access allow password

acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8

acl localnet src 192.168.1.0/23 # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl QUERY urlpath_regex cgi-bin \?
no_cache deny query
acl FILE_MP3 urlpath_regex -i \.mp3$
http_access deny FILE_MP3

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localnet
http_access allow localhost

http_access deny all

icp_access allow localnet
icp_access deny all

http_port 192.168.1.7:8080

hierarchy_stoplist cgi-bin ?
cache_mem 32 MB
cache_dir ufs /var/cache/squid 100 16 256
logformat combined %>a %ul %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
log_fqdn on
ftp_user sq...@my-domainname.de
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mgr adm...@my-domainname.de
visible_hostname proxy.my-domainname.de
coredump_dir /var/cache/squid

## End 



--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-with-LDAP-authentication-bypass-selected-URLs-tp4676689p4676838.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid with LDAP-authentication: bypass selected URLs

2016-03-15 Thread FredB 
I guess you have an acl with proxy_auth ?
Something like acl ldapauth proxy_auth REQUIRED ?

So you can just add http_access allow ldapauth !pdfdoc and perhaps http_access 
allow pdfdoc after

Fred

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid with LDAP-authentication: bypass selected URLs

2016-03-15 Thread Verwaiser 
Hello,
we use user-authentication using a LDAP server. 
We want to use a pdf - document which connects to an internet address
(europa.eu) for a kind of examination. The pdf doesnt ask for
proxy-authentification, so I tried to go around squid using ACLs like:

acl alle src 0.0.0.0/0.0.0.0
acl pdfdoc dstdomain "/etc/squid/urlListe"
http_access allow pdfdoc alle

with entries "europa.eu" and "*.europa.eu" and some more in the file
urlListe 

Also I tried:

acl CONNECT method CONNECT
acl wuCONNECT dstdomain webgate.ec.europa.eu
http_access allow CONNECT wuCONNECT

The result is allways the same: The Acrobat Reader tells "connection
failed".


In access.log I find:
192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?
HTTP/1.1" 407 2066 "-" "Microsoft-CryptoAPI/6.1" TCP_DENI
ED:NONE
192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "GET
http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAURO8EJH
HTTP/1
.1" 407 2219 "-" "Microsoft-CryptoAPI/6.1" TCP_DENIED:NONE
192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "GET
http://crl.globalsign.net/root.crl HTTP/1.1" 407 1889 "-"
"Microsoft-CryptoAPI/6.1" TCP_DENIED:NONE
192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "GET
http://ocsp2.globalsign.com/gsorganizationvalsha2g2/MFMwUTBPMEBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhiMXAk3Q
3QqEElr8w7e7kcA%3D%3D HTTP/1.1" 407 2303 "-" "Microsoft-CryptoAPI/6.1"
TCP_DENIED:NONE
192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "GET
http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl HTTP/1.1" 407 1955
"-" "Microsoft-CryptoAPI/6.1" TCP_DENIED:NONE
192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "CONNECT
webgate.ec.europa.eu:443 HTTP/1.0" 200 3154 "-" "Mozilla/3.0 (compatible;
Acrobat 5.0; Windows)" TCP_MISS:DIRECT

Any idea if I can do something using squid.conf to establish connection?

Holger

PS: Using "internet at home" without squid the pdf-document works well.




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-with-LDAP-authentication-bypass-selected-URLs-tp4676689.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users