[squid-users] Partial Authentication from Eberhard Pietzsch on 2004-02-06 (squid-users)

From: Eberhard Pietzsch <pietzsch@dont-contact.us>
Date: Fri, 06 Feb 2004 11:24:07 +0100

Hi,

I would be very pleased about a hint that solves our following
problem. It seems simple but I could not yet find a squid
configuration that works.

We have a list of about 12,000 Hostnames. Users should be forced
to authenticate if they request an URL from one of these Hosts.
Any other host in the internet not contained in the list should
be accessible without authentication.

We have tried the following configuration using two squid proxies:

- Proxy A (located in the computing center) should be the proxy
which is publicly available to our user community. Users
should configure their browsers to use this proxy.

   Proxy A should test if a requested hostname is contained in our
   list mentioned above. If not contained, proxy A should forward
   the request directly to the host in question.

If contained in the list proxy A should forward the request to
proxy B as a peer.

- Proxy B (located in the library) has an authentification scheme
   using squidguard. I should mention that, from the performance point
   of view, proxy B is unable to route all the traffic of our community.
   It can only handle requests to hosts contained in our list.

Proxy B works very fine. Proxy A does make problems.

Up to now we have tested two different configurations of proxy A.
None of these works. Our first try was:

external_acl_type restricted-area %DST \
/usr/local/squid/bin/check-if-restricted
acl our-community src xxx.yyy.0.0/255.255.0.0
acl restrictedacl external restricted-area
http_access allow our-community
http_access deny all
cache_peer_access proxy-b.our-domain.de allow restrictedacl

The problem with this is that the program check-if-restricted
which checks if the host is contained in our list, is never
called, neither for hosts in our list nor for other
hosts.

Our second try was to use squidguard also for proxy A. Here,
the acl control rules from squidguard cannot be reused within
squid (as far a I know).

Can someone of you give me a hint?

Thanks from Frankfurt,
Eberhard

-- 
Dr. Eberhard Pietzsch
Stadt- und Universitätsbibliothek Frankfurt a.M.
Elektronische Dienste
Bockenheimer Landstr. 134-138
D - 60325 Frankfurt am Main
Tel.: (+49) 69 212 44 505

Received on Fri Feb 06 2004 - 03:18:05 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST