Re: [squid-users] authenticate_program question

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 25 Nov 2002 08:55:51 +0100

Mark Orenstein wrote:

> The first is at an annoyance level. Until recently, all our client PC's have
> been W95/98. We just installed several new XP Pro PC's (with SP1 applied).
> When IE6 is invoked on an XP Pro PC, the browser security window is displayed.
> With the proper credentials being entered, a HTTP 404 page not found message is
> displayed. When the user clicks on the "go" button, the page is properly
> displayed and for the remainder of the browser interaction, all is ok. Does
> anyone have a suggestion?

This is due to a bug in MSIE. Microsoft is working on a fix. I dont have
the MSKB document number here, but you should find it in the last weeks
of Squid-user traffic.

> The second question is related to several administrators with dedicated PC's
> not wanting the security window to appear on their PC's. Is there any way to
> do this? My impression is that once an authenticate_program directive is
> included in the squid.conf file, squid always directs the browser to request
> credentials.

Yes you can.

authenticate_program only tells Squid which program to use IF it needs
to verify a username+password.

http_access determines when/if/why Squid will require a login. If Squid
while processing your http_access rules encounters a proxy_auth type acl
then if will require the user to log in.

To have a mixed setup where some users are allowed by IP address alone
and others need to log in, make sure your http_access rules first allow
the users by IP address, then by login.

# Allow static IP stations access without needing to login
acl src admin_ip 192.168.1.54 192.168.1.89 ...
http_access allow admin_ip

# Allow others access if they log in
acl login proxy_auth REQUIRED
acl local_networks 192.168.1.0/24 192.168.2.0/24 ...
http_access allow local_networks login

# Deny everyone else
http_access deny all
Received on Mon Nov 25 2002 - 01:03:17 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:33 MST