RE: [squid-users] ACL Question from Jorge Cuellar Martinez on 2001-04-16 (squid-users)

From: Jorge Cuellar Martinez <jorge.cuellar@dont-contact.us>
Date: Mon, 16 Apr 2001 11:37:33 -0600

Yes, actually you can even allow some sites on the internet without
authentication and others with authentication...

You can bypass authentication for internal sites, but if you really want a
DIRECT connection you must use a pac, squid won't do it. Autoconf scripts
work with the newest IE and Netscape versions.

you should do something like this in your squid.conf file:

acl all src 0.0.0.0
acl intranet 90.0.0.0/8 #identifies a 90.X.X.X a class network on your
intranet
acl intranetdomain your.internal.domain #it identifies your intranet DNS
zone
users proxy_auth REQUIRED #defines that users must be authenticated
http_access allow all intranet # all incoming requests matching intranet
(IP) will be allowed without authentication prompt
http_access allow all intranetdomain # all incoming requests matching
intranetdomain (dns name) will be allowed without authentication prompt
http_access allow users #everything else will be allowed with authentication
prompt

i hope somebody corrects me if i'm wrong =)

This is colsely what you want to do with squid... but all your intranet
traffic will be passing through squid, i strongly recommend you the use of
an autoconf.pac file

-----Original Message-----
From: Mike Diggins [mailto:diggins@mcmail.cis.mcmaster.ca]
Sent: Friday, April 13, 2001 12:54 PM
To: squid-users@squid-cache.org
Subject: [squid-users] ACL Question

We're using a javascript autoconfig file (.pac) for autoconfiguring our
client's browser to use our Proxy server. The Proxy server is presently a
Netscape product but we're looking to switch to Squid.

The autoconfig scripts only work with some (mostly older) browsers. I was
thinking that Squid's ACL might be able to replace these scripts so they
work from any browser. Here's the criteria:

        . Only use the proxy to access Internet sites. All local sites
          should go direct (with no authentication prompt)
        . When an Internet site is requested, prompt for a username and
          password then go via the proxy

We use SMB_AUTH for our external authenticator which works. I can't figure
out how to only authenticate for external sites. Is this possible?

-Mike
Received on Mon Apr 16 2001 - 11:38:15 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:20 MST