Re: [squid-users] Ntlm and url_regex

From: Michael Alger <squid@dont-contact.us>
Date: Mon, 22 Oct 2007 06:19:54 -0400

On Mon, Oct 22, 2007 at 11:44:17AM +0200, Alexandre Mackow wrote:
> Squid is running and perfectly works with an authentification
> based on AD (Ntlm) ..
> So for my users who are not fully authorized, i create an acl
> "acl sites_ok url_regex "/etc/squid/sitesok.list"
> http_access allow sites_ok"
>
> With 3 sites for evrybody....
> The probleme that when a user is not autorized with ntlm and go to
> a page authorized with url_regex, when a link is present on the
> page (I think), an authentification windows open ...and the user
> have to click to pass the message.....

When a browser accesses a site, it will download all resources
required to display it. The main ones to look for are style sheets,
scripts, and embedded images and other types of media. You might
find the "Firebug" extension for Firefox is useful for identifying
all the things your browser is accessing in order to render a page.

You will need to permit unauthenticated access to every resource on
the page(s) you want to allow access to in order for a user to be
able to browse it without being prompted to authenticate.

Note that it's perfectly legitimate for some of the resources used
by a page to be located on a different server, and even a completely
unrelated domain. A good example is advertising scripts, which
typically live on an adhost's servers (e.g. doubleclick.net).

It's also possible that the browser is "pre-fetching" pages linked
to by the site, by following normal hyperlinks. Most browsers don't
do this "out of the box" though, only with the help of "internet
accelerator" type software. So while this is posible, the most
likely cause of the authentication popup is that the sites you're
allowing access to include references to media or scripts located on
other servers which you aren't allowing access to.

AFAIK, there's no way in squid to tell it to allow a site and
"everything on it". If working out what external resources the site
requires and permitting access to them is not an option (e.g. it's
outside of your control or changes frequently), you might be able to use
the "Referer" header from the client's request in an ACL -- but if you
can, you make it possible for anyone who's clever to access any site
without authenticating (the client can send whatever Referer header it
wants), which may be unacceptable.

A completely different option could be to use a tool to create a
local "mirror" of the site(s) you want to allow access to. Such a
tool would pull in all resources required to render the page and
store them on a local server. It would also rewrite the original
page to reference the local copies. Then you just need to permit
unauthenticated users access to your local mirror.
Received on Mon Oct 22 2007 - 04:20:03 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT