Hello,
I am running a Mac OS X Server (10.3.7) that among other things does web
hosting (for our webpage) and proxy caching and authentication with squid.
I have two versions of squid running with dansguardian in the middle for
content filtering. The first version of squid does the authentication to
see if the user is allowed onto the internet (this is at a school where
teacher accounts are granted access to the internet but students are not)
along with a bit of blocking based on bad words in the URL. The second
instance of squid is there to do the caching and to communicated with
dansguardian. Everything seems to be working great - except that client
machines on my network can't get to our homepage.
This is what part of my squid configuration looks like (below the
http_access tag):
########### OUR RULES ##############
# First block sites that we know we don't want anyone going to
# this is simply filtering the URLs, not the page content
http_access deny block_webhostURL
http_access deny block_webhostDOM
http_access deny block_piratesURL
http_access deny block_piratesDOM
http_access deny block_advertisersDOM
http_access deny block_advertisersURL
http_access deny block_websearchDOM
http_access deny block_websearchURL
http_access deny block_entertainmentDOM
http_access deny block_entertainmentURL
http_access deny block_anonymizersDOM
http_access deny block_badlangURL
http_access deny block_pornDOM
http_access deny block_pornURL
# PAM stuff to allow for authentication of users in "internet" group
auth_param basic program /path/to/pam/file/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
# allows local machines to get to homepage
acl our_website dst x.x.x.x #actual ip address not shown to protect the
innocent
acl localnet src 192.168.1.0/24
http_access allow localnet our_website
# requires authentication before getting access to internet
acl password proxy_auth REQUIRED
http_access allow password
# And finally deny all other access to this proxy
http_access deny all
#### END #####
So, first off we block sites based on URL with acl's that point to word
lists. This works great. Then the PAM stuff is what I'm using to
authenticate to the Open Directory to see if the user should be allowed
onto the Internet. That works too. The next bit is where problems occur.
What I want to have happen is for the machines to be allowed access to
our website without having to authenticate through the proxy. With this
setup, it doesn't work. It doesn't ask for authentication when I try to
go to our homepage, it just times out with a generic IE or Firefox "The
page cannot be displayed" error. Note that all the browsers are setup to
bypass the proxy when trying to access our local web address.
What I've tried though is replacing our information with New York
University's info as a test:
# allows local machines to get to homepage
acl our_website dst 128.122.108.74 #nyu's ip address
acl localnet src 192.168.1.0/24
http_access allow localnet our_website
This works perfectly. When I try to go to the NYU homepage with a
client-machine's browser (either typing in www.nyu.edu or the IP address)
I get there without having to authenticate.
Switching back to our info, I then tried to just type in our IP into the
browser. Boom, I get our homepage without having to authenticate. But I
still can't get our homepage to come up by typing in our web address.
In addition to all of this, when I use the browser on our server (which is
also pointing to the proxy but bypassing it for our local address) I get
to our homepage no problem.
Anyone out there have any ideas on what could be the problem?
Thanks,
JK
Received on Sun Apr 03 2005 - 18:53:14 MDT
This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:03 MDT