Re: [squid-users] Authentication Question
michael_gra...@cadc.uscourts.gov wrote: I setup two reverse proxy sites with LDAP authentication. Authentication works fine when I access either site. The problem I'm having is after I authenticate to either site, I try and access a url on the other site and I'm prompted to authenticate again. How can I tell squid to check the authenticated user and stop prompting me for another login? I guess that depends on your auth_param settings or LDAP configuration, which you omitted. It's not part of the domain routing config you show below. Below is my squid.conf setup of both sites. Thanks acl ldap-auth proxy auth REQUIRED http_access allow ldap-auth http_port x.x.x.x:80 accel defaultsite=intranet.cadc.circdc.dcn cache_peer x.x.x.x parent 80 0 no-query originserver name=intranet1 round-robin cache_peer x.x.x.x parent 80 0 no-query originserver name=intranet2 round-robin acl sites_intranet dstdomain intranet.cadc.circdc.dcn http_access allow sites=intranet cache_peer_access intranet1 allow sites_intranet cache_peer_access intranet2 allow sites_intranet http_port x.x.x.x:80 accel defaultsite=www.cadc.circdc.dcn cach_peer x.x.x.x parent 80 0 no-query originserver name=iis acl sites=iis dstdomain www.cadc.circdc.dcn http_access allow sites=iis cache_peer_access iis allow sites=iis http_access deny all Just a note, personally I'd add the ldap-auth ACL to the end of each of the http_access allow sitesX lines instead of globally at the top. That would prevent wasting auth resources on people requesting unacceptable domains. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 Current Beta Squid 3.1.0.15
[squid-users] Authentication Question
I setup two reverse proxy sites with LDAP authentication. Authentication works fine when I access either site. The problem I'm having is after I authenticate to either site, I try and access a url on the other site and I'm prompted to authenticate again. How can I tell squid to check the authenticated user and stop prompting me for another login? Below is my squid.conf setup of both sites. Thanks acl ldap-auth proxy auth REQUIRED http_access allow ldap-auth http_port x.x.x.x:80 accel defaultsite=intranet.cadc.circdc.dcn cache_peer x.x.x.x parent 80 0 no-query originserver name=intranet1 round-robin cache_peer x.x.x.x parent 80 0 no-query originserver name=intranet2 round-robin acl sites_intranet dstdomain intranet.cadc.circdc.dcn http_access allow sites=intranet cache_peer_access intranet1 allow sites_intranet cache_peer_access intranet2 allow sites_intranet http_port x.x.x.x:80 accel defaultsite=www.cadc.circdc.dcn cach_peer x.x.x.x parent 80 0 no-query originserver name=iis acl sites=iis dstdomain www.cadc.circdc.dcn http_access allow sites=iis cache_peer_access iis allow sites=iis http_access deny all Mike Grasso DC Circuit Court of Appeals
Re: [squid-users] Authentication question
Monah Baki wrote: Hi All, If users require authentication in squid before browsing, is there a way for example to tell squid since user has authenticated in IE, if the user plans on using firefox while IE is still running, do not authenticate. Most web-things are possible. Try automatic NTLM auth, see if you can get it authenticating in the background without either IE or Firefox needing to show the login box. There are other ways, but, they open MAJOR security holes you REALLY do not want to open. FWIW: if you have Firefox installed why do you even let the users see IE as present on the PC? It's only needed for WindowsUpdate and then marginally. Removing IE from under temptations fingers closes a lot of security holes in windows (94% of the current SANS list) with one action. Amos
[squid-users] Authentication question
Hi All, If users require authentication in squid before browsing, is there a way for example to tell squid since user has authenticated in IE, if the user plans on using firefox while IE is still running, do not authenticate. Thanks BSD Networking, Microsoft Notworking
Re: [squid-users] Authentication Question
On Thu, 12 Jan 2006, Gendel, David wrote: What authentication schemes are available to use for web applications running on the IIS? - Basic Yes. - Forms Based Yes. - Digest Yes, but needs to be enabled both in IIS and the ADS domain/account policy if you want integration with the domain. - Advanced Digest Not sure what this refers to. - NTLM (I already know this will not work based on protocol design) - Windows Integrated (I already know this will not work based on protocol design) No additional comment. Regards Henrik
[squid-users] Authentication Question
This is a question of how to properly implement or use web server authentication through squid 2.X. This is not a question about authentication to the Squid server itself. The scenario is: Users -- Squid 2.5 -- IIS6 This is all internal and there is no authentication to the Squid server itself. What authentication schemes are available to use for web applications running on the IIS? - Basic - Forms Based - Digest - Advanced Digest - NTLM (I already know this will not work based on protocol design) - Windows Integrated (I already know this will not work based on protocol design) Any suggestions, examples, or documentation would be greatly appreciated -- David
[squid-users] authentication question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Is it possible to have any password encrypted authentication scheme with squid, without having a passwd file on disk? Can I mix digest authentication with an external helper program? How could I combine a helper program with digest? -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBXAp1m87SXUGUjPsRAgF/AKC3WG7Jyl1B1zscMb9Vt8Fwu9m/qwCgzZAX 6rwi1YwCy6I5MyzrN0KyKvQ= =ZHhC -END PGP SIGNATURE-
Re: [squid-users] authentication question
On Thu, 30 Sep 2004, Costas Zacharopoulos wrote: Is it possible to have any password encrypted authentication scheme with squid, without having a passwd file on disk? ntlm Can I mix digest authentication with an external helper program? Please elaborate on what kind of external helper.. there is many different kinds of external helpers to Squid. but generally yes. Regards Henrik
[squid-users] authentication question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Can I have an external authorization scheme based on ip addresses and hostnames? Which authentication mechanism shall I use? Is it possible to use digest authentication? -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBWp4rm87SXUGUjPsRAm7zAJ41NIg1Ebt+2kLocfDmI/H2d2jwHQCgrox4 5QW3Yd/y0GxQV9WXKP4/DTA= =P9Bm -END PGP SIGNATURE-
Re: [squid-users] authentication question
On Wed, 29 Sep 2004, Costas Zacharopoulos wrote: Can I have an external authorization scheme based on ip addresses and hostnames? Provided you have a method to find the hostname from the IP address yes. How to find the hostname depends on your type of network and how the stations registers their hostnames with your network. Which authentication mechanism shall I use? The above is not authentication, only authorization of stations. Regards Henrik
[squid-users] authentication question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does the external authentication mechanisms based on already working authentication schemes? I meen are they indepentant or they are based on NTLM authentication for example or any other authentication method? -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBWVz/m87SXUGUjPsRAjHgAJ0dUaGlBl1cNH0dCHqLFITg4TtzQACg0x90 L6xngdYbG11fVMJpbEKL5LU= =4hv8 -END PGP SIGNATURE-
Re: [squid-users] authentication question
CHeck out this link and devel.squid-cache.org faq. http://www.geekbunker.org/rodrigo/ip_user.html -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does the external authentication mechanisms based on already working authentication schemes? I meen are they indepentant or they are based on NTLM authentication for example or any other authentication method? -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBWVz/m87SXUGUjPsRAjHgAJ0dUaGlBl1cNH0dCHqLFITg4TtzQACg0x90 L6xngdYbG11fVMJpbEKL5LU=4hv8 -END PGP SIGNATURE-
[squid-users] Authentication Question
Hello, I have my squid configuration set to require authentication. Does anyone know how squid physically puts the box up resquesting the username and password? I know squid passes the information put inot this box to the selected authentication program (like ncsa_auth), but how does squid make the box display in the first place? I would like to know this down at code level if possible. That is, what routine displays the login box and sends the information to the authentication program. I am using ncsa_auth, and when I run the binary that compiled with squid from the command line with my passwordfile as an argument, i.e., ./ncsa_auth /usr/local/squid/etc/passwd it waits for me to enter a username/password pair separated by a space. If the username authenticates, ncsa_auth comes bake with OK. Now I assume that squid slurps in the username/password pair and calls ncsa_auth with the passwordfile and then passes the usrname/password pair and waits for the response. I just need to know where squid is doing all of this. Thank you, Murrah Boswell -- *Before I criticize a man, I walk a mile in his shoes. That way, if he gets angry, he's a mile away and barefoot.