[squid-users] RE: redirect authenticate and surf

James Ambursley writes:
>
> I would like non authenticated users to be rediercted to an internal
> site and have no access. I would like users when they initially
> connect to be redirected to a internal web site. Then they will
> authenticate with a link on the web site via radius and then surf.
> Squidguard redirects users to the internal site. After the users
> authenticate they should be allowed to surf freely.

I'm not the best source of information on authentication (since I've
never used it), but it doesn't look like the people who do use
authentication are going to help you.

I think what you are trying to set up is "authentication", plain and
simple. I think the main difference between your authentication
and the authentication used by others here is you are using radius.
I did a little reading on squid/radius authentication
<http://selm.www.cistron.nl/authtools/>, and I don't think radius
changes the overall authentication process. Sure, the authentication
program/helpers are different, but I think the process remains the
same.

It is not uncommon for squid to receive a request from a user who
has not yet been authenticated, but whose acl requires authentication.
I'll never say "never", but I've been reading the squidGuard mailing
list for going on 3 years, and I can't remember a single time where
someone was using squidGuard to redirect to the authenticator. I
think you are trying to manually construct something that can
happen automatically.

Hopefully someone familiar with authentication will jump in and
straighten us out.

Rick
>
>
> -----Original Message-----
> From: Rick Matthews [mailto:Rick@Matthews.net]
> Sent: Monday, March 17, 2003 10:00 PM
> To: James Ambursley
> Cc: Squidguard@Squidguard. Org
> Subject: RE: redirect authenticate and surf
>
>
> James Ambursley writes:
> >
> > Please help, I would like to have users authenticate, via radius
> > and redirect to a page. Only authenticated users can surf freely.
> > All users are redirected to the page, then authenticate, then surf
> > freely.
>
> If I am interpreting correctly, the two important points from your
> statements above are:
>
> > users authenticate via radius
> > Only authenticated users can surf freely.
>
> Is that meant to be different from "Only authenticated users are
> allowed access"? Do you want to allow limited access to
> non-authenticated users?
>
> What part do you want squidGuard to play in this?
>
> Does your squid configuration authenticate properly without
> squidGuard? (comment out redirect_program)
>
> > I have tried many combinations, and none work.
>
> I guess I need to better understand what you are trying to do. Squid
> can handle authentication and access control. Get that part working
> first before you factor squidGuard into the mix.
>
> > My redirector is squidguard. I have been able to redirect, but
> > users at the page are only able to surf to pages which I preset in
> > my list file.
>
> That's exactly what you told squidGuard to do in squidGuard.conf:
> - You haven't defined any source groups, so everyone is processed
> under the default acl.
> - The default acl is "pass test none". This says to allow access
> to the test destination group, which you said includes 4 domains.
> - If the incoming request is not for one of those 4 domains, you've
> told squidGuard to redirect anybody and everybody to:
> "http://10.190.1.86/?"
>
> Please provide additional information so that we can help.
>
> Rick
>
>
>
>
>
> > _________________________________________________________
> > My squid.conf is below:
> >
> > http_port 80
> > icp_port 80
> > httpd_accel_host 10.190.1.86
> > acl acceleratedHost dst 127.0.0.1/255.255.255.255
> > httpd_accel_port 80
> > httpd_accel_host 127.0.0.1
> > udp_incoming_address 0.0.0.0
> > udp_outgoing_address 255.255.255.255
> > hierarchy_stoplist cgi-bin ?
> > #acl QUERY urlpath_regex cgi-bin \?
> > acl QUERY url_regex cgi-bin \?
> > no_cache deny QUERY
> > no_cache deny acceleratedHost
> > #requests for localhost not going to peer
> > always_direct allow acceleratedHost
> > cache_dir ufs /usr/local/squidtest/var/cache 100 16 256
> > cache_access_log /usr/local/squidtest/var/logs/access.log
> > cache_log /usr/local/squidtest/var/logs/cache.log
> > log_ip_on_direct on
> > pid_filename /usr/local/squidtest/var/logs/squid.pid
> > hosts_file /etc/hosts
> > cache_effective_user squid
> > cachemgr_passwd secret password
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern . 0 20% 4320
> > negative_ttl 2 minutes
> > emulate_httpd_log on
> > #
> > #USER ACCESS PART
> > auth_param basic program /opt/squid/auth/bin/squid_rad_auth -c /opt/squid/auth/etc/squid_rad_auth.conf
> > auth_param basic children 10
> > #auth_param basic realm MY Squid proxy-caching server
> > auth_param basic credentialsttl 1 minutes
> > redirect_program /usr/local/squidguard/bin/squidGuard -c /usr/local/squidguard/squidguard.conf
> > redirect_children 20
> > #acl foo proxy_auth REQUIRED
> > #acl foo proxy_auth username
> > #http_access allow foo
> > #acl daytime time 08:00-17:00
> > #authenticate_ttl 30 seconds
> > #
> > acl allowed_hosts src 10.190.1.0/255.255.255.0
> > acl all src 0.0.0.0/0.0.0.0
> > http_access allow allowed_hosts
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
> > acl SSL_ports port 443 563
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 110 # pop3
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 563 # https, snews
> > acl Safe_ports port 25 # smtp
> > #acl Safe_ports port 70 # gopher
> > #acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > #acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl CONNECT method CONNECT
> > #http_access allow redirect_access
> > #http_access allow foo
> > http_reply_access allow Safe_ports
> > icp_access allow Safe_ports
> > visible_hostname MYSQUID
> > httpd_accel_single_host on
> > httpd_accel_with_proxy on
> > forwarded_for on
> > log_icp_queries on
> > error_directory /usr/local/squidtest/share/errors/English
> > ie_refresh off
> > #http_access allow bar
> > http_access allow all
> > http_access allow localhost
> > http_access allow acceleratedHost
> > #http_access allow acceleratedPort
> > http_access allow Safe_ports
> > http_access allow localhost
> > http_access deny manager
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > _______________________________________________________________
> >
> > my squidguard.conf is below
> >
> > logdir /usr/local/squidguard/logs
> > #dbhome /usr/local/squidguard/db
> > dest test {
> > domainlist /usr/local/squidguard/list
> > }
> >
> > acl {
> > default {
> > pass test none
> > redirect http://10.190.1.86/?
> > }
> > }
> >
> > My allowed list:
> >
> > more /usr/local/squidguard/list
> >
> > excite.com
> > winproxy.com
> > buy.com
> > imgfarm.com
> >
> >
>
Received on Wed Mar 19 2003 - 09:09:11 MST