Find the answer to your Linux question:
Results 1 to 3 of 3
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Squid transparent authentication

    I have configured squid to use samba and windows authentication, transparent to the user, but now want to take this further. Not everyone here requires Internet access, so when someone tries to go to the Internet, but isn't in a security group in AD, how can I tell squid to prompt for authentication. Some systems have multiple users, but just one windows login, so those systems need to ask the user for authentication, where the majority of the workstations, can use the windows authentication.

    Any help would be great.

    Thank you,

    # Changed the default to port 8080
    http_port 8080

    icp_port 0

    # added for our firewall http proxy as the next hop
    cache_peer parent 8080 0 no-query default

    hierarchy_stoplist cgi-bin ?
    acl QUERY urlpath_regex cgi-bin \?
    no_cache deny QUERY
    emulate_httpd_log on

    # added for smartfilter and authorization
    smartfilter_state on
    smartfilter_config /usr/local/squid/etc/config.txt
    smartfilter_userinfo_program /usr/local/squid/libexec/sf_userinfo -f /usr/local/squid/etc/config.txt
    smartfilter_userinfo_children 5

    # added for our dns server
    dns_nameservers xxx.yyy.zzz.14 xxx.yyy.zzz.15

    # added for AD authentication
    auth_param ntlm program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
    auth_param ntlm children 30
    auth_param ntlm max_challenge_reuses 0
    auth_param ntlm max_challenge_lifetime 2 minutes
    auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic
    auth_param basic children 5
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours

    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320
    acl all src

    # added for our firewall http proxy
    never_direct allow all

    acl manager proto cache_object
    acl localhost src
    acl to_localhost dst
    acl SSL_ports port 443 563
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl CONNECT method CONNECT

    # added for AD authentication
    acl AuthorizedUsers proxy_auth REQUIRED
    http_access allow all AuthorizedUsers

    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access allow localhost
    http_access deny all
    http_reply_access allow all
    icp_access allow all
    coredump_dir /var/spool/squid

  2. #2
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    North Carolina
    I was under the impression that squid wasn't able to prompt for authentication when running in transparent mode. prompting for auth and being transparent don't really go together.

    as for restricting certain people, is this in a shared computer situation or could you block a whole computer from accessing the internet, if its not a shared situation then blocking based on hostname or IP will probably be the best if you are running squid transparent.

    at least that was the assumptions I have been under


    maybe I read that wrong, you aren't running a transparent proxy but are trying to use windows credentials transparent to the user.

    I am not sure if squid can read AD permission, but I have used msntauth for authenticating against AD and it has 2 files where you can allow and deny access. not sure how much that helps but it does give you another direction to look

  3. #3

    Thank you

    I am not really running squid in transparent mode, I am however trying to make it easier on the user so they don't have to authenticate to the Internet if they are in a "standard internet" security group, I have been able to verify if a user is a member of the group using squid_ldap_group helper, but don't have it in the squid.conf at the moment. I think you have given me some direction though.

    The computers that I am talking about are shared so the host or IP blocking won't work.

    I will let everyone know if I get this working the way I want.

    Thank you,

  4. $spacer_open

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts