Re: [squid-users] forwarding domain requests with login

I'm just trying to clear this up in my head, and putting some thoughts
into writing for clarification for others, perhaps.

28-Mar-02 at 15:33, Van Bossche Koen (Koen.VanBossche@KONE.com) wrote :
> acl course dstdomain "/etc/squid/coursedomains"
> acl internetacl proxy_auth REQUIRED
> acl courseusr proxy_auth "/var/squid/auth/course-users"

course = those domains which are listed in the file coursedomains
courseusr = those users listed in the file course-users

> cache_peer_access 138.249.161.5 allow course courseusr

Allow if both domain in coursedomains and user in course-users

> cache_peer_access 138.249.118.136 allow course !courseusr

Allow only if in coursedomains but not course-users
 
> http_access allow course

Allow those domains which are listed in the file coursedomains

> http_access allow courseusr

Allow those users listed in the file course-users

> http_access allow internetacl

Allow everything, with authentication

> http_access deny all

And keep out hijackers

> I have no errors but the forwarding to the other proxy does not work. Any
> suggestions what I might be doing wrong?

Err... I think that what you need is:

cache_peer_access 138.249.118.136 allow internetacl !courseusr

i.e.: Those users who are NOT in courseusr may authenticate and go
anywhere, but course-users cannot even try to authenticate to get out
anywhere.

Note: never have a policy where discovery of a separate proxy or a
password kept in a plaintext file (squid.conf) will wreck all the complex
rules you set up to fix web surfing to a specific ruleset. Make it
impossible to work it out. Only let the other proxy work as a parent to
the proxy from which your config in the mail comes from.

-- 
[Simon White. vim/mutt. simon@mtds.com. GIMPS:58.62% see www.mersenne.org]
In a time of universal lies, telling the truth is a revolutionary act.
  -- George Orwell
[Arbitrary quotes signature rotation, a simple bash script by Simon White]