RE: [squid-users] Reverse proxy with LDAP authentication

>> -----Original Message-----
>> From: Henrik Nordstrom [mailto:henrik_at_henriknordstrom.net]
>> Sent: Friday, September 19, 2008 2:31 PM
>> To: Andrew Struiksma
>> Cc: 'squid-users_at_squid-cache.org'
>> Subject: Re: [squid-users] Reverse proxy with LDAP authentication
>>
>> On fre, 2008-09-19 at 13:04 -0700, Andrew Struiksma wrote:
>> > We have a company intranet server running Apache2 on Debian 4.
>> > Currently it is only available on our LAN. We would like to make it
>> > available outside our LAN. However, we want users to have to
>> > authenticate against our Active Directory when they are coming from
>> > the outside. Once they have authenticated, they should have full
>> > access to the internal website. Is this something that Squid can do?
>>
>> Yes, with some limitations.
>>
>> The limitation is that there is only one authentication slot
>> in HTTP, so if the web server also uses HTTP authentication
>> then it needs to use the exact same authentication (basic
>> authentication to the same password backend), or you need to
>> set up a special authentication peering between the two (see
>> the login= cache_peer option).
>>
>
> I've setup the reverse SSL proxy on Squid 2.7 and it's almost working as
> needed. I want to accept connections on both port 80 and 443 but I want
> all the port 80 traffic to be redirected to 443 so that everything is
> encrypted. The main reason we need everything encrypted is that we are
> requiring LDAP authentication before Squid will allow access to the site.
> How can I do this?
>
> Here is the main part of my config:
>
> http_port 80 defaultsite=site.company.org
> https_port 443 cert=/etc/ssl/certs/company.org.cert \
> key=/etc/ssl/certs/company.org.key \
> defaultsite=site.company.org
>
> cache_peer site.company.org parent 443 0 no-query \
> originserver ssl sslflags=DONT_VERIFY_PEER name=myAccel
> acl our_sites dstdomain site.company.org
> acl all src 0.0.0.0/0.0.0.0
>
> auth_param basic program /usr/lib/squid/ldap_auth \
> -R -b "dc=company,dc=org" -D
> "cn=squid_user,cn=Users,dc=company,dc=org" \
> -w "password" -f sAMAccountName=%s -h 192.168.1.2
> auth_param basic children 5
> auth_param basic realm Our Site
> auth_param basic credentialsttl 5 minutes
>
> acl ldap_users proxy_auth REQUIRED
>
> http_access allow ldap_users
> http_access allow our_sites

If I understand you correctly that should be:

 http_access allow our_sites ldap_users
 http_access deny all

> cache_peer_access myAccel allow our_sites
>
> Andrew
>

That config should be do it.
Perhapse a "never_direct allow our_sites" to prevent non-peered traffic.

Amos
Received on Fri Sep 26 2008 - 02:14:52 MDT