Re: [squid-users] Squid with LDAP-authentication: bypass selected URLs
Hello Fred, as written above, I inserted the statements: > Ok, I tried to insert a the acl in auth_param block as you described: > > acl pdfdoc dstdomain webgate.ec.europa.eu > http_access allow password !pdfdoc #replacing http_access > allow password > http_access allow pdfdoc no success -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-with-LDAP-authentication-bypass-selected-URLs-tp4676689p4676867.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid with LDAP-authentication: bypass selected URLs
> > auth_param basic program /usr/sbin/squid_ldap_auth -b T=MYDOMAIN -f > "uid=%s" > -s sub -h 192.168.1.1 acl password > auth_param basic children 10 > auth_param basic realm Internetzugang im VERWALTUNGSNETZ FAL-BK: > Bitte mit > den Daten aus diesem Netzwerk anmelden! > acl password proxy_auth REQUIRED > auth_param basic credentialsttl 2 hours > auth_param basic casesensitive off > http_access allow password --> http_access allow password !my acl > should be here, with the right acl just before ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid with LDAP-authentication: bypass selected URLs
Hello Fred, thank you for your help! Ok, I tried to insert a the acl in auth_param block as you described: acl pdfdoc dstdomain webgate.ec.europa.eu http_access allow password !pdfdoc http_access allow pdfdoc but no success was shown using the pdf-doc. Then: Testing access to webgate.ec.europa.eu in browser squid asked me for a password as usual. Here my squid.conf in actual state (the file w7akt has some adresses for novell and for w7-activation): ## Start acl alle src 0.0.0.0/0.0.0.0 acl w7aktivierung dstdomain "/etc/squid/w7akt" http_access allow w7aktivierung alle acl CONNECT method CONNECT acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com acl wuCONNECT dstdomain novell.com acl wuCONNECT dstdomain docs.live.net acl wuCONNECT dstdomain d.docs.live.net acl port_443 port 443 http_access allow CONNECT port_443 http_access allow CONNECT wuCONNECT auth_param basic program /usr/sbin/squid_ldap_auth -b T=MYDOMAIN -f "uid=%s" -s sub -h 192.168.1.1 acl password auth_param basic children 10 auth_param basic realm Internetzugang im VERWALTUNGSNETZ FAL-BK: Bitte mit den Daten aus diesem Netzwerk anmelden! acl password proxy_auth REQUIRED auth_param basic credentialsttl 2 hours auth_param basic casesensitive off http_access allow password acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 192.168.1.0/23 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl QUERY urlpath_regex cgi-bin \? no_cache deny query acl FILE_MP3 urlpath_regex -i \.mp3$ http_access deny FILE_MP3 http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all icp_access allow localnet icp_access deny all http_port 192.168.1.7:8080 hierarchy_stoplist cgi-bin ? cache_mem 32 MB cache_dir ufs /var/cache/squid 100 16 256 logformat combined %>a %ul %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh access_log /var/log/squid/access.log combined log_fqdn on ftp_user sq...@my-domainname.de refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] upgrade_http0.9 deny shoutcast acl apache rep_header Server ^Apache broken_vary_encoding allow apache cache_mgr adm...@my-domainname.de visible_hostname proxy.my-domainname.de coredump_dir /var/cache/squid ## End -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-with-LDAP-authentication-bypass-selected-URLs-tp4676689p4676838.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Squid with LDAP-authentication: bypass selected URLs
I guess you have an acl with proxy_auth ? Something like acl ldapauth proxy_auth REQUIRED ? So you can just add http_access allow ldapauth !pdfdoc and perhaps http_access allow pdfdoc after Fred ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] Squid with LDAP-authentication: bypass selected URLs
Hello, we use user-authentication using a LDAP server. We want to use a pdf - document which connects to an internet address (europa.eu) for a kind of examination. The pdf doesnt ask for proxy-authentification, so I tried to go around squid using ACLs like: acl alle src 0.0.0.0/0.0.0.0 acl pdfdoc dstdomain "/etc/squid/urlListe" http_access allow pdfdoc alle with entries "europa.eu" and "*.europa.eu" and some more in the file urlListe Also I tried: acl CONNECT method CONNECT acl wuCONNECT dstdomain webgate.ec.europa.eu http_access allow CONNECT wuCONNECT The result is allways the same: The Acrobat Reader tells "connection failed". In access.log I find: 192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab? HTTP/1.1" 407 2066 "-" "Microsoft-CryptoAPI/6.1" TCP_DENI ED:NONE 192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "GET http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAURO8EJH HTTP/1 .1" 407 2219 "-" "Microsoft-CryptoAPI/6.1" TCP_DENIED:NONE 192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "GET http://crl.globalsign.net/root.crl HTTP/1.1" 407 1889 "-" "Microsoft-CryptoAPI/6.1" TCP_DENIED:NONE 192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "GET http://ocsp2.globalsign.com/gsorganizationvalsha2g2/MFMwUTBPMEBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCEhEhiMXAk3Q 3QqEElr8w7e7kcA%3D%3D HTTP/1.1" 407 2303 "-" "Microsoft-CryptoAPI/6.1" TCP_DENIED:NONE 192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "GET http://crl.globalsign.com/gs/gsorganizationvalsha2g2.crl HTTP/1.1" 407 1955 "-" "Microsoft-CryptoAPI/6.1" TCP_DENIED:NONE 192.168.12.23 - - [15/Mar/2016:10:32:37 +0100] "CONNECT webgate.ec.europa.eu:443 HTTP/1.0" 200 3154 "-" "Mozilla/3.0 (compatible; Acrobat 5.0; Windows)" TCP_MISS:DIRECT Any idea if I can do something using squid.conf to establish connection? Holger PS: Using "internet at home" without squid the pdf-document works well. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-with-LDAP-authentication-bypass-selected-URLs-tp4676689.html Sent from the Squid - Users mailing list archive at Nabble.com. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users