FW: [squid-users] Proxy authentication - PXY1

Hi All,

A long time ago I asked the question about forcing a user to receive a
policy page that they must accept on before they are prompted to
authenticate. At that time I was using a SUSE installed Squid2.4 STABLE7
version. I have now taken the Squid 2.5 STABLE1 copy from the
squid-cache.org website. Bearing in mind I am new to Linux/Squid what is it
I have to do to make an external_acl_type to filter out requests without
authentication. Would this helper be yet another executable I would have to
develop (I am not a C person either) or could it be a script. Can you just
spell out a little more the order of the acls in the squid.conf file and
what each piece of the puzzle would do. I have seen the new auth_param
directive and the external_acl_type but am unsure of how deep I have to go
to make this a flier.

I would appreciate any reply in layman's language given my experience of
Linux is 5 weeks and of squid 3 weeks. Is what you are saying is that I will
be able to detect if the HTTP header contains a username/password
combination and then redierect through deny_info to a policy page, or is
that too simplistic. Any help greatfully received.

Cheers Dave O.

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: 06 February 2003 08:47
To: Robert Collins
Cc: David O'Sullivan; 'squid-users@squid-cache.org'
Subject: Re: [squid-users] Proxy authentication - PXY1

Robert Collins wrote:

> Requests without authentication are redirected to the policy page, with
> the original page in a cookie/form submission. The policy page sets a
> cookie "POLICY ACCEPTED" when the user accepts the policy. The policy
> web server *must* be accessed via squid.
>
> When a request to the policy webserver, with a policy accepted cookie,
> is seen, authentication is triggered, and the user redirected back to
> the originally requested page.
 
Yes, this looks like it might be done.

external_acl_type can be used to filter out requests without proxy
authentication, or a extension acl can be written within Squid to do the
same. deny_info url capability of Squid-3 (also available as a patch to
Squid-2.5) can then be used to redirect the request to the policy page.

The same scheme can also be used to IP based session timers, having an
external_acl_type acting as a filter on which requests may need to be
sent to the policy page, and the cookie as the definite filter on which
users have accepted the policy or not.

Regards
Henrik

This e-mail and its attachments are confidential and intended solely for the
addressee. If you are not the intended addressee, you must not disclose,
forward, copy or take any action in respect of this email or any
attachments. If you have received this e-mail in error, please delete it and
notify the sender. While ADM and Optecon have taken every reasonable
precaution to minimise this risk, we cannot accept liability for any damage,
which you may sustain as a result of software viruses. You should carry out
your own virus checks before opening the attachment.
Received on Tue Feb 25 2003 - 03:41:20 MST