Ohn Pierre wrote:
>Hi,
>
>I have about 500 users going to internet through a RedHat server running
>squid (2.4 STABLE1). I also have a Lotus Notes server with a LDAP tree
>containing all the users (some users do not have the right to go to the
>internet, so there is a group, named 'internet', containing those users
>that can surf).
>
>When a user starts its browser, he got the traditional proxy
>authentication window asking his username/password combination. The
>authentication occurs on the LDAP server, and I also check if the user
>belongs to the 'internet' group. If everything is ok, the user can surf.
>
>To that point everything works great. But...
>
>here are my questions:
>- as I do not want to go on all the machines to configure the proxy
>settings of all the web browsers (which the user can always modify
>later....), I am looking for an automatic redirection of internet
>traffic to the proxy. I think the best solution is to use WCCP in the
>backbone (I forgot to mention, our active network equipment is all
>CISCO). If I do so, will I still be able to authenticate the users with
>the proxy ? If not does anybody have a suggestion ? (I have read
>proxy_auth does not work with transparent proxying).
>
I do not think that it does, all the docs say no... (This is what I
wanted to do)
What I have done instead is to use a .pac file which is loaded in the
settings within the browser.
I then have the proxy as the default route out (you could also just
redirect all internal traffic to a local web server) Using IPtables I
have a local redirect of all port out using port 80 to a web site served
by the proxy explaining to the user why they are here and in very basic
terms how to correct matters (i.e. how to restore the proxy settings)
i.e. automatic configuration url
This is for a few schools who all have authenticated access which then
runs on to Privoxy.
Example proxy.pac which I also stick on the local webserver / proxy machine
##############################
function FindProxyForURL(url, host) {
if ( isPlainHostName(host) ) {
return "DIRECT";
} else if (url.substring(0,5) == "http:" ||
url.substring(0,6) == "https:" ) {
return "PROXY squid.domain.org:3128; " + "DIRECT";
} else {
return "DIRECT";
}
}
###############################
Kind regards
Xander
>- does anybody knows if it possible to replace the classical proxy
>authentication window (which can be very little customized, just the
>proxy_auth_realm parameter is not enough) ? The idea would be to have
>some kind of html, perl, cgi... (or whatever) page appearing when the
>browser starts up. This page could be fully customized with the
>information of the company (logo, restriction applicable to the
>surf...). The authentication could then be done through this page (with
>a formulaire or something like that) or (perhaps easier), the
>authentication could happen with the standard proxy authentication
>window when the user tries to access the internet (again I do not want,
>if possible, to go on every machine to configure a particular homepage
>on the browser...).
>
>It is a bit difficult to explain... Thanks for the readers who reached
>the end of the mail.
>More thanks go the ones that can help :-)
>
>Pierre
>
>
>
Received on Thu Nov 21 2002 - 12:33:01 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:31 MST