RE: [squid-users] Can't see usernames in logs after enabling NTLM

From: Chris Robertson <crobertson@dont-contact.us>
Date: Mon, 7 Feb 2005 15:04:35 -0900

> -----Original Message-----
> From: Oliver Hookins [mailto:ohookins@gmail.com]
> Sent: Monday, February 07, 2005 2:42 PM
> To: Henrik Nordstrom
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Can't see usernames in logs after enabling
> NTLM
>
>
> Henrik Nordstrom wrote:
>> On Mon, 7 Feb 2005, Oliver Hookins wrote:
>>
>>> On my 2.5STABLE3 box I didn't explicitly have a http_access rule
>>> referring to the proxy_auth. I had one referring to the
>>> squid_ldap_group helper ACL though, and that seemed to work.
>>
>>
>> Correct.
>>
>>> Anyway here's the list of acl's and http_access lines so maybe you can
>>> see what I'm doing wrong on the 2.5STABLE7:
>>
>>
>>> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>>> #
>>> http_access allow allowedsites
>>> http_access allow localhost
>>> http_access allow SURFING
>>> #
>>> http_access allow AuthGroup
>>> #
>>
>>
>>
>> See "Squid FAQ 10.1 Access Controls - Introduction" for an in-depth
>> description of how http_access works.
>>
>> http://www.squid-cache.org/Doc/FAQ/FAQ-10.html
>
> I've never quite understood it... hence my problem. Let me run this by
> you though. If the request is for one of the allowedsites or from the
> list of IP addresses in SURFING, the AuthGroup will never even be
> touched so NTLM authentication is not activated?
>

This is correct.

> So I should put http_access allow AuthGroup at the very top so that NTLM
> authentication is forced on all requests. Then if the request is neither
> from a user in the authorised LDAP group, or from an IP address in
> SURFING, or to an allowedsite (or from localhost) it will be denied?
>

If you want all requests to be authenticated first, use "http_access deny
!AuthGroup" at the top. That way any requests from sources that are not
authenticated will be denied and asked for authentication. Requests that
are authenticated will pass on down to the next ACL (not being explicitly
denied, but not explicitly allowed either).

> When does Squid decided if it needs to activate the proxy_auth password
> required thing? During parsing of the configuration file or when a
> request is made?
>

Squid will ask for authentication (or not, based on ACLs) when a request is
made. It will (perhaps obviously) decide whether it needs to start
authentication helpers when parsing the config file.

> Regards,
> Oliver

Chris
Received on Mon Feb 07 2005 - 17:06:00 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST