-----Original Message----- From: Oliver Hookins [mailto:[EMAIL PROTECTED] Sent: Monday, February 07, 2005 2:42 PM To: Henrik Nordstrom Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Can't see usernames in logs after enabling NTLM
Henrik Nordstrom wrote:
On Mon, 7 Feb 2005, Oliver Hookins wrote:
On my 2.5STABLE3 box I didn't explicitly have a http_access rule referring to the proxy_auth. I had one referring to the squid_ldap_group helper ACL though, and that seemed to work.
Correct.
Anyway here's the list of acl's and http_access lines so maybe you can see what I'm doing wrong on the 2.5STABLE7:
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # http_access allow allowedsites http_access allow localhost http_access allow SURFING # http_access allow AuthGroup #
See "Squid FAQ 10.1 Access Controls - Introduction" for an in-depth description of how http_access works.
http://www.squid-cache.org/Doc/FAQ/FAQ-10.html
I've never quite understood it... hence my problem. Let me run this by you though. If the request is for one of the allowedsites or from the list of IP addresses in SURFING, the AuthGroup will never even be touched so NTLM authentication is not activated?
This is correct.
So I should put http_access allow AuthGroup at the very top so that NTLM authentication is forced on all requests. Then if the request is neither from a user in the authorised LDAP group, or from an IP address in SURFING, or to an allowedsite (or from localhost) it will be denied?
If you want all requests to be authenticated first, use "http_access deny !AuthGroup" at the top. That way any requests from sources that are not authenticated will be denied and asked for authentication. Requests that are authenticated will pass on down to the next ACL (not being explicitly denied, but not explicitly allowed either).
The authentication method is just passing through fakeauth to grab usernames anyway so it's not quite authentication as such. But basically we want all requests to pass through fakeauth in order to grab usernames.
Then we want to:
* allow access to anyone who is authorised by LDAP group
* requests that aren't LDAP group authorised but ARE on the SURFING IP ACL list should be allowed
* requests that aren't LDAP authorised and aren't from an IP on the SURFING ACL but are to an allowedsite should be allowed
* deny everything else
http_access allow AuthGroup http_access allow SURFING http_access allow allowedsites http_access deny all
Will that do it, and grab authentication details for every request?
When does Squid decided if it needs to activate the proxy_auth password required thing? During parsing of the configuration file or when a request is made?
Squid will ask for authentication (or not, based on ACLs) when a request is made. It will (perhaps obviously) decide whether it needs to start authentication helpers when parsing the config file.
Thanks, Oliver
