Re: [squid-users] Squid with ACL

From: Amos Jeffries <squid3@dont-contact.us>
Date: Fri, 16 Nov 2007 11:05:55 +1300 (NZDT)

> On Nov 15, 2007 11:24 AM, Amos Jeffries <squid3@treenet.co.nz> wrote:
>>
>> polloxx wrote:
>> > Dear list,
>> >
>> > We have a squid proxy servers with ACL filters: Unauthenticated users
>> > can only surf a restricted list of sites.
>> > Users ho want to surf to all sites need to know the login+password.
>> >
>> > The problem is now that for many sites who are loading content from
>> > other sites (eg. Yahoo) users need to click cancel several times.
>> >
>> > How can I solve this?
>>
>> You can do one of three things:
>>
>> - stop blocking non-auth users
>>
>> - stop caring about non-auth users having to click
>>
>> - up the negative_auth_ttl , so the auth requests form squid get reduced
>> (auth user logging in in with wrong password will be blocked for this
>> timeout so be wary)
>>
>> Squid does not cannot know who is allowed where before they auth
>> properly. There is no other way than auth TTL to prevent these re-auth
>> requests.
>>
>
> Thanks Amos,
>
> There's no workaround to that? Because it's the visiting (allowed)
> site that redirects the user to a (not allowed) site, mostly
> advertising sites. We want a solution where must users can only visit
> a limited number of sites. A number of users (BOD etc) may visit every
> site. Maybe squid isn't the right thing to use? Any suggestions?

Whatever is used will need to know who is authenticated and what they are
allowed to see. If one of the two key properties are not known then any
authorization cannot take place.

If the clients are behaving and adding Referer headers (completely
optional) you may get away with an ACL that checks the referrer is on teh
accepted sites list. However, this will permit one link out of the secured
area to be taken by anyone, AND a bad client can easily forge Referer: to
get around all your protections.

With a lot of luck and some coding you could create something that
processes pages as they come in and lets certain URL (ie img/object
href's) through, but either way its a bigger risk than non-customer
annoyance.

Amos
Received on Thu Nov 15 2007 - 15:05:58 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST