On 30/03/2012 11:45 p.m., Jasper Van Der Westhuizen wrote:
Hi everyone
I've been struggling to get a very specific setup going.
Some background: Our users are split into "Internet" users and "Non-Internet"
users. Everyone in a specific AD group is allowed to have full internet access. I have two SQUID
proxies with squidGuard load balanced with NTLM authentication to handle the group authentication.
All traffic also then gets sent to a cache peer.
This is basically what I need:
1. All users(internet and non-internet) must be able to access sites in
"/etc/squid/lists/whitelist.txt"
2. If a user wants to access any external site that is not in the whitelist
then he must be authenticated. Obviously a non-internet user can try until he
is blue in the face, it won't work.
These two scenarios are working 100%, except for one irritating bit. Most of
the whitelisted sites have got linked websites like facebook or twitter or
yourtube in them that load icons and graphics or adds etc. This causes a
auth-prompt for non-internet users. I can see the requests in the logs being
DENIED.
The only way I could think of getting rid of these errors was to implement a
"http_access deny !whitelist" after the allow. This works great for
non-internet users and it blocks all the linked sites without asking to authenticate, but
obviously this breaks access to all other sites for authenticated users.(access denied
for all sites)
You can use the "all" hack and two login lines:
http_access allow whitelist
# allow authed users, but dont challenge if missing auth
http_access allow authed all
# block access to some sites unless already logged in
http_access deny blacklist
http_access deny !authed
The authed users may still have problems logging in if the first site
they visit is one of the "blacklist" ones. But if they visit another
page first they can login and get there.
Amos
