Re: [squid-users] Squid Authenication

From: Amos Jeffries <squid3@dont-contact.us>
Date: Wed, 10 Oct 2007 10:38:56 +1300 (NZDT)

> I do some volunteer support for a high school which uses a squid proxy
> with NTLM authentication for their students. I inherited this system
> and know very little about it and was hoping someone might be able to
> help modify the squid config file to skip authentication for certain
> domains. Reading the FAQ it appears the proxy_auth key must be used but
> I have to admit I'm sure sure how.
>
> The school has some anti-virus software that needs to update with http
> traffic. It supports proxy connections but does not support
> authentication and so I need to always allows access to the domains:
> http://espl.authentium.net <http://espl.authentium.net/>
> http://www4. authentium.com <http://www4.authentium.com/>
>

Ah, okay. Ignore the authentication. Squid sees it as just one more
true/false flags to check.
Each *_access line is checked in the order you write them. All you have to
do is place the http_access at the right position

> Currently the authentication portion of the config file looks like this:
>
> #NTLM
> auth_param basic program /usr/lib/squid/smb_auth -W glcc -U 192.x.x.x
> auth_param basic children 10
> auth_param basic realm Squid Proxy Server
> auth_param basic credentialsttl 2 hour
> acl password proxy_auth REQUIRED
>
> http_access deny !Safe_ports

Right here in the config (before the password is checked below).
What you want is to define an acl with type dstdomain listing the home
domains that AV tries to connect to.

acl authentium dstdomain .authemium.net
http_access allow localnet authentium

(I assume you have a localnet acl defining the internal network ranges,
bypassing auth will need it to stay secure)

> http_access allow password
> http_access deny all
>

Amos
Received on Tue Oct 09 2007 - 15:39:00 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT