Andrew Struiksma wrote:
Here is the main part of my config:
http_port 80 defaultsite=site.company.org https_port 443
cert=/etc/ssl/certs/company.org.cert \
key=/etc/ssl/certs/company.org.key \
defaultsite=site.company.org
cache_peer site.company.org parent 443 0 no-query \
originserver ssl sslflags=DONT_VERIFY_PEER name=myAccel acl
our_sites dstdomain site.company.org acl all src 0.0.0.0/0.0.0.0
auth_param basic program /usr/lib/squid/ldap_auth \
-R -b "dc=company,dc=org" -D
"cn=squid_user,cn=Users,dc=company,dc=org" \
-w "password" -f sAMAccountName=%s -h 192.168.1.2
auth_param
basic children 5 auth_param basic realm Our Site auth_param basic
credentialsttl 5 minutes
acl ldap_users proxy_auth REQUIRED
http_access allow ldap_users
http_access allow our_sites
If I understand you correctly that should be:
http_access allow our_sites ldap_users
http_access deny all
cache_peer_access myAccel allow our_sites
Andrew
That config should be do it.
Perhapse a "never_direct allow our_sites" to prevent
non-peered traffic.
OK. I'll add in those options. Currently, if a user connects on port 80 they
are not forwarded to port 443 until after logging in and actually clicking a
link on the website. They then are prompted to login a second time on port 443.
Can Squid redirect to port 443 immediately before login or do I need to setup
Apache to do this?
Ah, now it sounds like you believe or need one thing and your config is
doing yet another.
Fortunately they are easy to do:
At the top of the config after "http_port 80" add these:
acl port80 myport 80
deny_info https://site.company.org port80
http_access deny port80
That will cause squid itself to send a 3xx moved fake 'error' message to
all port 80 requests. The users browser will then automatically
re-connect to port 443 before being asked to login.
NP: for anyone else trying to copy this: it only works on one domain
name at a time. Needs adjustment for virtual-hosted setups.
Can I add in an ACL to permit users from certain IP ranges to access the site
with having to authenticate to LDAP? I'm thinking about sending all users
through Squid but I don't want to force users on our LAN to have to
authenticate.
Yes. Just chain the acl names properly. An http_access allow line before
one that requires auth should do it.
http_access are checked top-down and first to match causes allow/deny.
They can be thought of as a boolean expression:
http_access allow/deny if a AND b AND c AND d
OR
http_access allow/deny if a AND b AND !d (! being NOT)
Amos
--
Please use Squid 2.7.STABLE4 or 3.0.STABLE9
