Re: [squid-users] Can't see usernames in logs after enabling NTLM

Chris Robertson wrote:
>>-----Original Message-----
>>From: Oliver Hookins [mailto:ohookins@gmail.com]
>>Sent: Monday, February 07, 2005 2:42 PM
>>To: Henrik Nordstrom
>>Cc: squid-users@squid-cache.org
>>Subject: Re: [squid-users] Can't see usernames in logs after enabling
>>NTLM
>>
>>
>>Henrik Nordstrom wrote:
>>
>>>On Mon, 7 Feb 2005, Oliver Hookins wrote:
>>>
>>>
>>>>On my 2.5STABLE3 box I didn't explicitly have a http_access rule
>>>>referring to the proxy_auth. I had one referring to the
>>>>squid_ldap_group helper ACL though, and that seemed to work.
>>>
>>>
>>>Correct.
>>>
>>>
>>>>Anyway here's the list of acl's and http_access lines so maybe you can
>>>>see what I'm doing wrong on the 2.5STABLE7:
>>>
>>>
>>>># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
>>>>#
>>>>http_access allow allowedsites
>>>>http_access allow localhost
>>>>http_access allow SURFING
>>>>#
>>>>http_access allow AuthGroup
>>>>#
>>>
>>>
>>>
>>>See "Squid FAQ 10.1 Access Controls - Introduction" for an in-depth
>>>description of how http_access works.
>>>
>>>http://www.squid-cache.org/Doc/FAQ/FAQ-10.html
>>
>>I've never quite understood it... hence my problem. Let me run this by
>>you though. If the request is for one of the allowedsites or from the
>>list of IP addresses in SURFING, the AuthGroup will never even be
>>touched so NTLM authentication is not activated?
>>
>
>
> This is correct.
>
>
>>So I should put http_access allow AuthGroup at the very top so that NTLM
>>authentication is forced on all requests. Then if the request is neither
>>from a user in the authorised LDAP group, or from an IP address in
>>SURFING, or to an allowedsite (or from localhost) it will be denied?
>>
>
>
> If you want all requests to be authenticated first, use "http_access deny
> !AuthGroup" at the top. That way any requests from sources that are not
> authenticated will be denied and asked for authentication. Requests that
> are authenticated will pass on down to the next ACL (not being explicitly
> denied, but not explicitly allowed either).

The authentication method is just passing through fakeauth to grab
usernames anyway so it's not quite authentication as such. But basically
we want all requests to pass through fakeauth in order to grab usernames.

Then we want to:
* allow access to anyone who is authorised by LDAP group
* requests that aren't LDAP group authorised but ARE on the SURFING IP
ACL list should be allowed
* requests that aren't LDAP authorised and aren't from an IP on the
SURFING ACL but are to an allowedsite should be allowed
* deny everything else

http_access allow AuthGroup
http_access allow SURFING
http_access allow allowedsites
http_access deny all

Will that do it, and grab authentication details for every request?

>
>>When does Squid decided if it needs to activate the proxy_auth password
>>required thing? During parsing of the configuration file or when a
>>request is made?
>>
>
>
> Squid will ask for authentication (or not, based on ACLs) when a request is
> made. It will (perhaps obviously) decide whether it needs to start
> authentication helpers when parsing the config file.

Thanks,
Oliver
Received on Mon Feb 07 2005 - 17:33:43 MST