RE: [squid-users] Allowing linked sites - NTLM and un-authenticated users
-Original Message- From: Jasper Van Der Westhuizen [mailto:javanderwesthui...@shoprite.co.za] Sent: Wednesday, April 04, 2012 11:13 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] Allowing linked sites - NTLM and un-authenticated users > This allows my un-authenticated users access to the whitelisted domains and > blocks any links in the sites that are not whitelisted(like facebook and > youtube). It also allows my authenticated users access to all sites, > including whitelisted sites, as well as allowing linked sites like facebook > etc. > > Do you perhaps see any issue with this setup? > The only problem I forsee is that srcdomain is the clients IP rDNS record. > You have to encode into that what group they are in, so its restricted to > clients you > have control over rDNS for. In which case you may as well make > them static and use src IP checks. >Amos > Hi Amos > I want to change my setup to do authentication for everyone, and based on > whether the user is in a specific group or not, allow them access to certain > ACL's. > I have a group in AD that should have full access. All users should > authenticate. If the user is not in my Internet group then he gets to access > a list of sites. If >the user is in the Internet group he gets a different > ACL to access everything. >Is this possible with NTLM? I don't think it is. How would I approach this? What I did now was use wbinfo_group.pl to help with group ACL's. --cut-- external_acl_type testForNTGroup1 children=5 %LOGIN /usr/sbin/wbinfo_group.pl external_acl_type testForNTGroup2 children=5 %LOGIN /usr/sbin/wbinfo_group.pl acl InternetUsers external testForNTGroup1 "/etc/squid/group_auth_all_access" acl NonInternetUsers external testForNTGroup2 "/etc/squid/group_auth_limited_access" --- ### Allow Whitelisted domains to all users http_access allow InternetUsers http_access allow NonInternetUsers whitelist http_access deny NonInternetUsers !whitelist all --cut-- I place my groups that allowed to have full access in group_auth_all_access. The file group_auth_limited_access contains the group that covers my entire AD domain. I think this will work fine. I've tested it successfully.
Re: [squid-users] Allowing linked sites - NTLM and un-authenticated users
On 4/04/2012 9:12 p.m., Jasper Van Der Westhuizen wrote: This allows my un-authenticated users access to the whitelisted domains and blocks any links in the sites that are not whitelisted(like facebook and youtube). It also allows my authenticated users access to all sites, including whitelisted sites, as well as allowing linked sites like facebook etc. Do you perhaps see any issue with this setup? The only problem I forsee is that srcdomain is the clients IP rDNS record. You have to encode into that what group they are in, so its restricted to clients you> have control over rDNS for. In which case you may as well make them static and use src IP checks. Amos Hi Amos I want to change my setup to do authentication for everyone, and based on whether the user is in a specific group or not, allow them access to certain ACL's. I have a group in AD that should have full access. All users should authenticate. If the user is not in my Internet group then he gets to access a list of sites. If the user is in the Internet group he gets a different ACL to access everything. Is this possible with NTLM? I don't think it is. How would I approach this? Like so http://wiki.squid-cache.org/ConfigExamples#Authentication Amos
Re: [squid-users] Allowing linked sites - NTLM and un-authenticated users
On 04/04/2012 13:07, JC Putter wrote: Jasper, Sorry to jump in here as the email was addressed to Amos, We run a configuration very similar to what you want, we use NTLM auth with squid and dansguardian, Client> dansguardian> Squid> internet and for cases which dosnt have any danshguardian in place, what about an external_acl that can help with AD integration? Regards, Eliezer Dangurdian has the capability to filter traffic based on the username, there is a perl script also available which can pull the usernames from your AD group into a specified filter group. So we have different filter groups for different users.. Hope it helps. -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer ngtech.co.il
RE: [squid-users] Allowing linked sites - NTLM and un-authenticated users
Jasper, Sorry to jump in here as the email was addressed to Amos, We run a configuration very similar to what you want, we use NTLM auth with squid and dansguardian, Client > dansguardian > Squid > internet Dangurdian has the capability to filter traffic based on the username, there is a perl script also available which can pull the usernames from your AD group into a specified filter group. So we have different filter groups for different users.. Hope it helps. -Original Message- From: Jasper Van Der Westhuizen [mailto:javanderwesthui...@shoprite.co.za] Sent: 04 April 2012 11:13 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] Allowing linked sites - NTLM and un-authenticated users > This allows my un-authenticated users access to the whitelisted domains and blocks any links in the sites that are not whitelisted(like facebook and youtube). It also allows my authenticated users access to all sites, including whitelisted sites, as well as allowing linked sites like facebook etc. > > Do you perhaps see any issue with this setup? > The only problem I forsee is that srcdomain is the clients IP rDNS record. You have to encode into that what group they are in, so its restricted to clients you > have control over rDNS for. In which case you may as well make them static and use src IP checks. >Amos Hi Amos I want to change my setup to do authentication for everyone, and based on whether the user is in a specific group or not, allow them access to certain ACL's. I have a group in AD that should have full access. All users should authenticate. If the user is not in my Internet group then he gets to access a list of sites. If the user is in the Internet group he gets a different ACL to access everything. Is this possible with NTLM? I don't think it is. How would I approach this?
RE: [squid-users] Allowing linked sites - NTLM and un-authenticated users
> This allows my un-authenticated users access to the whitelisted domains and > blocks any links in the sites that are not whitelisted(like facebook and > youtube). It also allows my authenticated users access to all sites, > including whitelisted sites, as well as allowing linked sites like facebook > etc. > > Do you perhaps see any issue with this setup? > The only problem I forsee is that srcdomain is the clients IP rDNS record. > You have to encode into that what group they are in, so its restricted to > clients you > have control over rDNS for. In which case you may as well make > them static and use src IP checks. >Amos Hi Amos I want to change my setup to do authentication for everyone, and based on whether the user is in a specific group or not, allow them access to certain ACL's. I have a group in AD that should have full access. All users should authenticate. If the user is not in my Internet group then he gets to access a list of sites. If the user is in the Internet group he gets a different ACL to access everything. Is this possible with NTLM? I don't think it is. How would I approach this?
Re: [squid-users] Allowing linked sites - NTLM and un-authenticated users
On 3/04/2012 10:27 p.m., Jasper Van Der Westhuizen wrote: -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Tuesday, April 03, 2012 8:43 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Allowing linked sites - NTLM and un-authenticated users On 3/04/2012 6:12 p.m., Jasper Van Der Westhuizen wrote: -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, April 02, 2012 9:27 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Allowing linked sites - NTLM and un-authenticated users On 2/04/2012 5:54 p.m., Jasper Van Der Westhuizen wrote: -Original Message- From: Amos Jeffries On 30/03/2012 11:45 p.m., Jasper Van Der Westhuizen wrote: Hi everyone I've been struggling to get a very specific setup going. Some background: Our users are split into "Internet" users and "Non-Internet" users. Everyone in a specific AD group is allowed to have full internet>>access. I have two SQUID proxies with squidGuard load balanced with NTLM authentication to handle the group authentication. All traffic also then gets>>sent to a cache peer. This is basically what I need: 1. All users(internet and non-internet) must be able to access sites in "/etc/squid/lists/whitelist.txt" 2. If a user wants to access any external site that is not in the whitelist then he must be authenticated. Obviously a non-internet user can try until he is blue>>in the face, it won't work. These two scenarios are working 100%, except for one irritating bit. Most of the whitelisted sites have got linked websites like facebook or twitter or>>yourtube in them that load icons and graphics or adds etc. This causes a auth-prompt for non-internet users. I can see the requests in the logs being0>>DENIED. The only way I could think of getting rid of these errors was to implement a "http_access deny !whitelist" after the allow. This works great for non-internet users and it blocks all the linked sites without asking to authenticate, but obviously this breaks access to all other sites for authenticated users.(access denied for all sites) You can use the "all" hack and two login lines: http_access allow whitelist# allow authed users, but dont challenge if missing auth http_access allow authed all # block access to some sites unless already>logged in http_access deny blacklist http_access deny !authed The authed users may still have problems logging in if the first site they visit is one of the "blacklist" ones. But if they visit another page first they can login>and get there. Amos Hi Amos Thank you for the reply. I think I already tried this method but it still fails. In any case I tried what you suggested and the problem remains that my unauthenticated(non-internet)>users can get to the whitelisted sites just fine, but they still get authentication prompts for the linked content like facebook and youtube that the site>contains. An example of a site is http://www.triptrack.co.za/ and you will see what I mean. At the bottom right of the site there are links to facebook and>youtube. Those links cause a authentication request to the unauthenticated(or non-internet) users. I can't have these prompts appear for these users. They>have a set list of sites they can visit, and it should work for them and should not get asked to authenticate. Only once they try and go directly to sites that are>not in the whitelist, should they be prompted, and obviously denied since they are not included in the AD group. The problem of course is that they *are* going "directly" to the blacklisted sites when they load an object from those sites. Even if the object was embeded>in some third-party whitelisted sites HTML. HTTP protocol makes no distinctions about how HTML, XML, or Flash document structures group objects. All Squid sees is a request for an object on a non->whitelisted site. Current rules: http_access allow whitelist http_access allow authenticated all http_access deny blacklist http_access deny !authenticated Kind Regards Jasper Something else I've tried was using a cache_peer_access to pass the whitelisted domains that everyone should have access to, to another squid instance that should only allow access to the whitelisted sites. Nothing else. Again it works kind of. I can see that the proxy sends the request to the cache_peer, but it only sends the requested site there and again not any sites that are linked within it.(like facebook). Is there a way to send the entire "session" to the cache_peer if a particular domain was requested? There is maybe the Referer: header. Since the evercookie attacks it has becoming popular to erase or not send those though. So good luck. You can test that with req_header ACL type and a regex pattern. Amos I think I found a work-around
RE: [squid-users] Allowing linked sites - NTLM and un-authenticated users
-Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Tuesday, April 03, 2012 8:43 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Allowing linked sites - NTLM and un-authenticated users On 3/04/2012 6:12 p.m., Jasper Van Der Westhuizen wrote: > > -Original Message- > From: Amos Jeffries [mailto:squ...@treenet.co.nz] > Sent: Monday, April 02, 2012 9:27 AM > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Allowing linked sites - NTLM and > un-authenticated users > > On 2/04/2012 5:54 p.m., Jasper Van Der Westhuizen wrote: >> -Original Message- >> From: Amos Jeffries >> >> On 30/03/2012 11:45 p.m., Jasper Van Der Westhuizen wrote: >>>> Hi everyone >>>> >>>> I've been struggling to get a very specific setup going. >>>> >>>> Some background: Our users are split into "Internet" users and >>>> "Non-Internet" users. Everyone in a specific AD group is allowed to have >>>> full internet>>access. I have two SQUID proxies with squidGuard load >>>> balanced with NTLM authentication to handle the group authentication. All >>>> traffic also then gets>>sent to a cache peer. >>>> >>>> This is basically what I need: >>>> 1. All users(internet and non-internet) must be able to access sites in >>>> "/etc/squid/lists/whitelist.txt" >>>> 2. If a user wants to access any external site that is not in the >>>> whitelist then he must be authenticated. Obviously a non-internet user can >>>> try until he is blue>>in the face, it won't work. >>>> >>>> These two scenarios are working 100%, except for one irritating bit. Most >>>> of the whitelisted sites have got linked websites like facebook or twitter >>>> or>>yourtube in them that load icons and graphics or adds etc. This causes >>>> a auth-prompt for non-internet users. I can see the requests in the logs >>>> being0>>DENIED. >>>> >>>> The only way I could think of getting rid of these errors was to >>>> implement a "http_access deny !whitelist" after the allow. This >>>> works great for non-internet users and it blocks all the linked >>>> sites without asking to authenticate, but obviously this breaks >>>> access to all other sites for authenticated users.(access denied >>>> for all sites) >>> You can use the "all" hack and two login lines: >>> >>> http_access allow whitelist# allow authed users, but dont challenge >>> if missing auth http_access allow authed all # block access to some >>> sites unless already>logged in http_access deny blacklist >>> http_access deny !authed >>> >>> >>> The authed users may still have problems logging in if the first site they >>> visit is one of the "blacklist" ones. But if they visit another page first >>> they can login>and get there. >>> >>> >>> Amos >> Hi Amos >> >> Thank you for the reply. >> >> I think I already tried this method but it still fails. In any case I tried >> what you suggested and the problem remains that my >> unauthenticated(non-internet)>users can get to the whitelisted sites just >> fine, but they still get authentication prompts for the linked content like >> facebook and youtube that the site>contains. An example of a site is >> http://www.triptrack.co.za/ and you will see what I mean. At the bottom >> right of the site there are links to facebook and>youtube. Those links cause >> a authentication request to the unauthenticated(or non-internet) users. I >> can't have these prompts appear for these users. They>have a set list of >> sites they can visit, and it should work for them and should not get asked >> to authenticate. Only once they try and go directly to sites that are>not in >> the whitelist, should they be prompted, and obviously denied since they are >> not included in the AD group. >> The problem of course is that they *are* going "directly" to the blacklisted >> sites when they load an object from those sites. Even if the object was >> embeded>in some third-party whitelisted sites HTML. >> HTTP protocol makes no distinctions about how HTML, XML, or Flash document >> structures group objects. All Squid sees is a request for an object on a >> non->whitelisted site. >> Current rules: >> http_ac
Re: [squid-users] Allowing linked sites - NTLM and un-authenticated users
On 3/04/2012 6:12 p.m., Jasper Van Der Westhuizen wrote: -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, April 02, 2012 9:27 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Allowing linked sites - NTLM and un-authenticated users On 2/04/2012 5:54 p.m., Jasper Van Der Westhuizen wrote: -Original Message- From: Amos Jeffries On 30/03/2012 11:45 p.m., Jasper Van Der Westhuizen wrote: Hi everyone I've been struggling to get a very specific setup going. Some background: Our users are split into "Internet" users and "Non-Internet" users. Everyone in a specific AD group is allowed to have full internet>>access. I have two SQUID proxies with squidGuard load balanced with NTLM authentication to handle the group authentication. All traffic also then gets>>sent to a cache peer. This is basically what I need: 1. All users(internet and non-internet) must be able to access sites in "/etc/squid/lists/whitelist.txt" 2. If a user wants to access any external site that is not in the whitelist then he must be authenticated. Obviously a non-internet user can try until he is blue>>in the face, it won't work. These two scenarios are working 100%, except for one irritating bit. Most of the whitelisted sites have got linked websites like facebook or twitter or>>yourtube in them that load icons and graphics or adds etc. This causes a auth-prompt for non-internet users. I can see the requests in the logs being0>>DENIED. The only way I could think of getting rid of these errors was to implement a "http_access deny !whitelist" after the allow. This works great for non-internet users and it blocks all the linked sites without asking to authenticate, but obviously this breaks access to all other sites for authenticated users.(access denied for all sites) You can use the "all" hack and two login lines: http_access allow whitelist# allow authed users, but dont challenge if missing auth http_access allow authed all # block access to some sites unless already>logged in http_access deny blacklist http_access deny !authed The authed users may still have problems logging in if the first site they visit is one of the "blacklist" ones. But if they visit another page first they can login>and get there. Amos Hi Amos Thank you for the reply. I think I already tried this method but it still fails. In any case I tried what you suggested and the problem remains that my unauthenticated(non-internet)>users can get to the whitelisted sites just fine, but they still get authentication prompts for the linked content like facebook and youtube that the site>contains. An example of a site is http://www.triptrack.co.za/ and you will see what I mean. At the bottom right of the site there are links to facebook and>youtube. Those links cause a authentication request to the unauthenticated(or non-internet) users. I can't have these prompts appear for these users. They>have a set list of sites they can visit, and it should work for them and should not get asked to authenticate. Only once they try and go directly to sites that are>not in the whitelist, should they be prompted, and obviously denied since they are not included in the AD group. The problem of course is that they *are* going "directly" to the blacklisted sites when they load an object from those sites. Even if the object was embeded>in some third-party whitelisted sites HTML. HTTP protocol makes no distinctions about how HTML, XML, or Flash document structures group objects. All Squid sees is a request for an object on a non->whitelisted site. Current rules: http_access allow whitelist http_access allow authenticated all http_access deny blacklist http_access deny !authenticated Kind Regards Jasper Something else I've tried was using a cache_peer_access to pass the whitelisted domains that everyone should have access to, to another squid instance that should only allow access to the whitelisted sites. Nothing else. Again it works kind of. I can see that the proxy sends the request to the cache_peer, but it only sends the requested site there and again not any sites that are linked within it.(like facebook). Is there a way to send the entire "session" to the cache_peer if a particular domain was requested? There is maybe the Referer: header. Since the evercookie attacks it has becoming popular to erase or not send those though. So good luck. You can test that with req_header ACL type and a regex pattern. Amos
RE: [squid-users] Allowing linked sites - NTLM and un-authenticated users
-Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, April 02, 2012 9:27 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Allowing linked sites - NTLM and un-authenticated users On 2/04/2012 5:54 p.m., Jasper Van Der Westhuizen wrote: > > -Original Message- > From: Amos Jeffries > > On 30/03/2012 11:45 p.m., Jasper Van Der Westhuizen wrote: >>> Hi everyone >>> >>> I've been struggling to get a very specific setup going. >>> >>> Some background: Our users are split into "Internet" users and >>> "Non-Internet" users. Everyone in a specific AD group is allowed to have >>> full internet>>access. I have two SQUID proxies with squidGuard load >>> balanced with NTLM authentication to handle the group authentication. All >>> traffic also then gets>>sent to a cache peer. >>> >>> This is basically what I need: >>> 1. All users(internet and non-internet) must be able to access sites in >>> "/etc/squid/lists/whitelist.txt" >>> 2. If a user wants to access any external site that is not in the whitelist >>> then he must be authenticated. Obviously a non-internet user can try until >>> he is blue>>in the face, it won't work. >>> >>> These two scenarios are working 100%, except for one irritating bit. Most >>> of the whitelisted sites have got linked websites like facebook or twitter >>> or>>yourtube in them that load icons and graphics or adds etc. This causes >>> a auth-prompt for non-internet users. I can see the requests in the logs >>> being0>>DENIED. >>> >>> The only way I could think of getting rid of these errors was to >>> implement a "http_access deny !whitelist" after the allow. This >>> works great for non-internet users and it blocks all the linked >>> sites without asking to authenticate, but obviously this breaks >>> access to all other sites for authenticated users.(access denied for >>> all sites) >> You can use the "all" hack and two login lines: >> >> http_access allow whitelist# allow authed users, but dont challenge >> if missing auth http_access allow authed all # block access to some >> sites unless already>logged in http_access deny blacklist http_access >> deny !authed >> >> >> The authed users may still have problems logging in if the first site they >> visit is one of the "blacklist" ones. But if they visit another page first >> they can login>and get there. >> >> >> Amos > Hi Amos > > Thank you for the reply. > > I think I already tried this method but it still fails. In any case I tried > what you suggested and the problem remains that my > unauthenticated(non-internet) >users can get to the whitelisted sites just > fine, but they still get authentication prompts for the linked content like > facebook and youtube that the site >contains. An example of a site is > http://www.triptrack.co.za/ and you will see what I mean. At the bottom right > of the site there are links to facebook and >youtube. Those links cause a > authentication request to the unauthenticated(or non-internet) users. I can't > have these prompts appear for these users. They >have a set list of sites > they can visit, and it should work for them and should not get asked to > authenticate. Only once they try and go directly to sites that are >not in > the whitelist, should they be prompted, and obviously denied since they are > not included in the AD group. >The problem of course is that they *are* going "directly" to the blacklisted >sites when they load an object from those sites. Even if the object was >embeded >in some third-party whitelisted sites HTML. >HTTP protocol makes no distinctions about how HTML, XML, or Flash document >structures group objects. All Squid sees is a request for an object on a >non->whitelisted site. > > Current rules: > http_access allow whitelist > http_access allow authenticated all > http_access deny blacklist > http_access deny !authenticated > > Kind Regards > Jasper > Something else I've tried was using a cache_peer_access to pass the whitelisted domains that everyone should have access to, to another squid instance that should only allow access to the whitelisted sites. Nothing else. Again it works kind of. I can see that the proxy sends the request to the cache_peer, but it only sends the requested site there and again not any sites that are linked within it.(like facebook). Is there a way to send the entire "session" to the cache_peer if a particular domain was requested?
Re: [squid-users] Allowing linked sites - NTLM and un-authenticated users
On 2/04/2012 5:54 p.m., Jasper Van Der Westhuizen wrote: -Original Message- From: Amos Jeffries On 30/03/2012 11:45 p.m., Jasper Van Der Westhuizen wrote: Hi everyone I've been struggling to get a very specific setup going. Some background: Our users are split into "Internet" users and "Non-Internet" users. Everyone in a specific AD group is allowed to have full internet>>access. I have two SQUID proxies with squidGuard load balanced with NTLM authentication to handle the group authentication. All traffic also then gets>>sent to a cache peer. This is basically what I need: 1. All users(internet and non-internet) must be able to access sites in "/etc/squid/lists/whitelist.txt" 2. If a user wants to access any external site that is not in the whitelist then he must be authenticated. Obviously a non-internet user can try until he is blue>>in the face, it won't work. These two scenarios are working 100%, except for one irritating bit. Most of the whitelisted sites have got linked websites like facebook or twitter or>>yourtube in them that load icons and graphics or adds etc. This causes a auth-prompt for non-internet users. I can see the requests in the logs being0>>DENIED. The only way I could think of getting rid of these errors was to implement a "http_access deny !whitelist" after the allow. This works great for non-internet users and it blocks all the linked sites without asking to authenticate, but obviously this breaks access to all other sites for authenticated users.(access denied for all sites) You can use the "all" hack and two login lines: http_access allow whitelist# allow authed users, but dont challenge if missing auth http_access allow authed all # block access to some sites unless already>logged in http_access deny blacklist http_access deny !authed The authed users may still have problems logging in if the first site they visit is one of the "blacklist" ones. But if they visit another page first they can login>and get there. Amos Hi Amos Thank you for the reply. I think I already tried this method but it still fails. In any case I tried what you suggested and the problem remains that my unauthenticated(non-internet) users can get to the whitelisted sites just fine, but they still get authentication prompts for the linked content like facebook and youtube that the site contains. An example of a site is http://www.triptrack.co.za/ and you will see what I mean. At the bottom right of the site there are links to facebook and youtube. Those links cause a authentication request to the unauthenticated(or non-internet) users. I can't have these prompts appear for these users. They have a set list of sites they can visit, and it should work for them and should not get asked to authenticate. Only once they try and go directly to sites that are not in the whitelist, should they be prompted, and obviously denied since they are not included in the AD group. The problem of course is that they *are* going "directly" to the blacklisted sites when they load an object from those sites. Even if the object was embeded in some third-party whitelisted sites HTML. HTTP protocol makes no distinctions about how HTML, XML, or Flash document structures group objects. All Squid sees is a request for an object on a non-whitelisted site. Current rules: http_access allow whitelist http_access allow authenticated all http_access deny blacklist http_access deny !authenticated Kind Regards Jasper
RE: [squid-users] Allowing linked sites - NTLM and un-authenticated users
-Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Saturday, March 31, 2012 10:11 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Allowing linked sites - NTLM and un-authenticated users On 30/03/2012 11:45 p.m., Jasper Van Der Westhuizen wrote: >> Hi everyone >> >> I've been struggling to get a very specific setup going. >> >> Some background: Our users are split into "Internet" users and >> "Non-Internet" users. Everyone in a specific AD group is allowed to have >> full internet >>access. I have two SQUID proxies with squidGuard load >> balanced with NTLM authentication to handle the group authentication. All >> traffic also then gets >>sent to a cache peer. >> >> This is basically what I need: >> 1. All users(internet and non-internet) must be able to access sites in >> "/etc/squid/lists/whitelist.txt" >> 2. If a user wants to access any external site that is not in the whitelist >> then he must be authenticated. Obviously a non-internet user can try until >> he is blue >>in the face, it won't work. >> >> These two scenarios are working 100%, except for one irritating bit. Most of >> the whitelisted sites have got linked websites like facebook or twitter or >> >>yourtube in them that load icons and graphics or adds etc. This causes a >> auth-prompt for non-internet users. I can see the requests in the logs >> being0 >>DENIED. >> >> The only way I could think of getting rid of these errors was to >> implement a "http_access deny !whitelist" after the allow. This works >> great for non-internet users and it blocks all the linked sites >> without asking to authenticate, but obviously this breaks access to >> all other sites for authenticated users.(access denied for all sites) > You can use the "all" hack and two login lines: > >http_access allow whitelist# allow authed users, but dont challenge if missing >auth http_access allow authed all # block access to some sites unless already >>logged in http_access deny blacklist http_access deny !authed > > >The authed users may still have problems logging in if the first site they >visit is one of the "blacklist" ones. But if they visit another page first >they can login >and get there. > > >Amos Hi Amos Thank you for the reply. I think I already tried this method but it still fails. In any case I tried what you suggested and the problem remains that my unauthenticated(non-internet) users can get to the whitelisted sites just fine, but they still get authentication prompts for the linked content like facebook and youtube that the site contains. An example of a site is http://www.triptrack.co.za/ and you will see what I mean. At the bottom right of the site there are links to facebook and youtube. Those links cause a authentication request to the unauthenticated(or non-internet) users. I can't have these prompts appear for these users. They have a set list of sites they can visit, and it should work for them and should not get asked to authenticate. Only once they try and go directly to sites that are not in the whitelist, should they be prompted, and obviously denied since they are not included in the AD group. Current rules: http_access allow whitelist http_access allow authenticated all http_access deny blacklist http_access deny !authenticated Kind Regards Jasper
Re: [squid-users] Allowing linked sites - NTLM and un-authenticated users
On 30/03/2012 11:45 p.m., Jasper Van Der Westhuizen wrote: Hi everyone I've been struggling to get a very specific setup going. Some background: Our users are split into "Internet" users and "Non-Internet" users. Everyone in a specific AD group is allowed to have full internet access. I have two SQUID proxies with squidGuard load balanced with NTLM authentication to handle the group authentication. All traffic also then gets sent to a cache peer. This is basically what I need: 1. All users(internet and non-internet) must be able to access sites in "/etc/squid/lists/whitelist.txt" 2. If a user wants to access any external site that is not in the whitelist then he must be authenticated. Obviously a non-internet user can try until he is blue in the face, it won't work. These two scenarios are working 100%, except for one irritating bit. Most of the whitelisted sites have got linked websites like facebook or twitter or yourtube in them that load icons and graphics or adds etc. This causes a auth-prompt for non-internet users. I can see the requests in the logs being DENIED. The only way I could think of getting rid of these errors was to implement a "http_access deny !whitelist" after the allow. This works great for non-internet users and it blocks all the linked sites without asking to authenticate, but obviously this breaks access to all other sites for authenticated users.(access denied for all sites) You can use the "all" hack and two login lines: http_access allow whitelist # allow authed users, but dont challenge if missing auth http_access allow authed all # block access to some sites unless already logged in http_access deny blacklist http_access deny !authed The authed users may still have problems logging in if the first site they visit is one of the "blacklist" ones. But if they visit another page first they can login and get there. Amos
[squid-users] Allowing linked sites - NTLM and un-authenticated users
Hi everyone I've been struggling to get a very specific setup going. Some background: Our users are split into "Internet" users and "Non-Internet" users. Everyone in a specific AD group is allowed to have full internet access. I have two SQUID proxies with squidGuard load balanced with NTLM authentication to handle the group authentication. All traffic also then gets sent to a cache peer. This is basically what I need: 1. All users(internet and non-internet) must be able to access sites in "/etc/squid/lists/whitelist.txt" 2. If a user wants to access any external site that is not in the whitelist then he must be authenticated. Obviously a non-internet user can try until he is blue in the face, it won't work. These two scenarios are working 100%, except for one irritating bit. Most of the whitelisted sites have got linked websites like facebook or twitter or yourtube in them that load icons and graphics or adds etc. This causes a auth-prompt for non-internet users. I can see the requests in the logs being DENIED. The only way I could think of getting rid of these errors was to implement a "http_access deny !whitelist" after the allow. This works great for non-internet users and it blocks all the linked sites without asking to authenticate, but obviously this breaks access to all other sites for authenticated users.(access denied for all sites) I thought of placing the whitelisted sites in squidGuard but NTLM authentication happens in squid, before it reaches squidGuard. Here is an excerpt from my config file: --cut-- ### Whitelisted sites for all users acl whitelist dstdomain "/etc/squid/lists/whitelist.txt" acl authenticated proxy_auth REQUIRED http_access allow whitelist http_access allow authenticated !whitelist http_access deny all --cut-- What I basically need is something like "http_access deny !whitelist !authenticated" which means deny all sites not in whitelist for users who are not authenticated. Can this be done? Any suggestions would be greatly appreciated. Kind Regards Jasper
