RE: [squid-users] proxy_auth authentication exemption problem

From: Chris Robertson <crobertson@dont-contact.us>
Date: Thu, 7 Jul 2005 16:08:33 -0800

> -----Original Message-----
> From: Kenneth Oncinian [mailto:kenneth.oncinian@ph.panasonic.com]
> Sent: Wednesday, July 06, 2005 6:57 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] proxy_auth authentication exemption problem
>
>
> Hi list,
>
> I have a simple user based authentication using ncsa_auth, and the same
> time excluding authentication for some users using src IP address.
> This works fine. until i have a requirement which needs to ban some
> websites but not from some authenticated users.
>
> so my previous squid.conf is like this, and this works on the exemption
> of the user1, user2, and user3 from authenticating while prompting for
> others:
> ---------------------------------------------------------
> acl banned dstdomain "/usr/local/etc/squid/banned.txt"
>
> auth_param basic program /usr/local/libexec/ncsa_auth
> /usr/local/etc/squid/htpasswd
> auth_param basic children 50
> auth_param basic realm my domain
> auth_param basic credentialsttl 2 hours
>
> #acl of excempted IPs from authenticating using ncsa_auth
> acl user1 src 192.168.1.1/255.255.255.255
> acl user2 src 192.168.1.2/255.255.255.255
> acl user3 src 192.168.1.3/255.255.255.255
> acl password proxy_auth REQUIRED
>
> http_access allow user1
> http_access allow user2
> http_access allow user3
>
> http_access deny banned
> never_direct allow all
> never_direct allow password
> ------------------------------------
>
>
> But when I tried to change the squid.conf to:
> ------------------------------------
> acl banned dstdomain "/usr/local/etc/squid/banned.txt"
>
> auth_param basic program /usr/local/libexec/ncsa_auth
> /usr/local/etc/squid/htpasswd
> auth_param basic children 50
> auth_param basic realm my domain
> auth_param basic credentialsttl 2 hours
>
> #acl of excempted IPs from authenticating using ncsa_auth
> acl user1 src 192.168.1.1/255.255.255.255
> acl user2 src 192.168.1.2/255.255.255.255
> acl user3 src 192.168.1.3/255.255.255.255
> acl user4 proxy_auth username4 <--
> acl user5 proxy_auth username5 <--
> acl password proxy_auth REQUIRED
>
> http_access allow user1
> http_access allow user2
> http_access allow user3
>
> http_access allow user4 banned <--
> http_access allow user5 banned <--

Why are these two different? Shouldn't they read:

http_access allow user4
http_access allow user5

(without specifying "banned" on the end)?

> http_access deny banned
> never_direct allow all
> never_direct allow password

What's the point of specifically stating "never_direct allow password" AFTER "never_direct allow all"? Besides, never_direct only has an effect when using a parent proxy. It has nothing to do with sending traffic directly from the browser to the internet.

> -------------------------------------
>
>
> All users are then prompted for authentication including user1, user2
> and user3, there's no more exclusion in the ncsa_auth authentication.
> Where did I go wrong? any hints or tip is greatly appreciated.
>

From the squid.conf.default:
# The browser will be challenged for authentication on the first
# [proxy_auth] acl encountered in http_access processing and will also be
# rechallenged for new login credentials if the request is being denied
# by a proxy_auth type acl.

While I don't see anything that would cause what you are describing, the whole picture is not shown. You imply that all users are required to authenticate, but (unless you are using the "never_direct allow password" to force this) I don't see where that requirement is made. If it turns out that you are using the never_direct (blah, blah) to force authentication, you shouldn't do it that way. Use an http_access rule instead (like "http_access allow password" after the "http_access deny banned").

>
> regards,
> Kenneth

Chris
Received on Thu Jul 07 2005 - 18:08:34 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Aug 01 2005 - 12:00:02 MDT