RE: [squid-users] Don't require auth for some sites

From: Chris Robertson <crobertson@dont-contact.us>
Date: Fri, 4 Feb 2005 13:31:34 -0900

> -----Original Message-----
> From: Matt Alexander [mailto:lowbassman@gmail.com]
> Sent: Friday, February 04, 2005 1:05 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] Don't require auth for some sites
>
>
> I have Squid configured to authenticate users to our Active Directory
> and verify that they're in the "Internet" group before allowing access
> to the web.
>
> However, there are some URLs that we want anyone to access without
> requiring authentication. How would I configure Squid to bypass the
> authentication acl for a list of sites, such as *.foo.com, bar.com,
> and 172.16.*?
>
> Here's the config:
>
> http_port 8080
> icp_port 0
> cache_peer 127.0.0.1 parent 2543 7 proxy-only no-query
> no-netdb-exchange login=*:nopassword default
> maximum_object_size 25600 KB
> cache_dir aufs /var/spool/squid 500 16 256
> auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 20
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 30 minutes
> auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Web Proxy
> auth_param basic credentialsttl 2 hours
> acl ads dstdom_regex -i "/etc/squid/adservers"
> http_access deny ads
> external_acl_type nt_group ttl=0 concurrency=5 %LOGIN
> /usr/lib/squid/wbinfo_group.pl

acl allow_url dstdomain .foo.com bar.com
acl allow_ip dst 172.16.0.0/255.255.0.0
http_access allow allow_url
http_access allow allow_ip

> acl internetusers external nt_group internet
> http_access allow internetusers
> half_closed_clients off
> acl all src 0.0.0.0/0.0.0.0
> acl localhost src 127.0.0.1/255.255.255.255
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443
> acl CONNECT method CONNECT
> acl PURGE method PURGE
> http_access allow PURGE localhost
> acl winbind proxy_auth REQUIRED
> http_access allow localhost
> http_access deny all
> http_reply_access allow all
> forwarded_for off
> never_direct allow all
> coredump_dir /var/spool/squid

Add the above acls and http_access lines at the point specified, and those
domains and IPs will be allowed access without prompting for authentication.

Chris
Received on Fri Feb 04 2005 - 15:31:35 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST