Re: [squid-users] Reverse proxy with LDAP authentication

Andrew Struiksma wrote:
>>> Here is the main part of my config:
>>>
>>> http_port 80 defaultsite=site.company.org https_port 443
>>> cert=/etc/ssl/certs/company.org.cert \
>>> key=/etc/ssl/certs/company.org.key \
>>> defaultsite=site.company.org
>>>
>>> cache_peer site.company.org parent 443 0 no-query \
>>> originserver ssl sslflags=DONT_VERIFY_PEER name=myAccel acl
>>> our_sites dstdomain site.company.org acl all src 0.0.0.0/0.0.0.0
>>>
>>> auth_param basic program /usr/lib/squid/ldap_auth \
>>> -R -b "dc=company,dc=org" -D
>>> "cn=squid_user,cn=Users,dc=company,dc=org" \
>>> -w "password" -f sAMAccountName=%s -h 192.168.1.2
>> auth_param
>>> basic children 5 auth_param basic realm Our Site auth_param basic
>>> credentialsttl 5 minutes
>>>
>>> acl ldap_users proxy_auth REQUIRED
>>>
>>> http_access allow ldap_users
>>> http_access allow our_sites
>> If I understand you correctly that should be:
>>
>> http_access allow our_sites ldap_users
>> http_access deny all
>>
>>> cache_peer_access myAccel allow our_sites
>>>
>>> Andrew
>>>
>> That config should be do it.
>> Perhapse a "never_direct allow our_sites" to prevent
>> non-peered traffic.
>
> OK. I'll add in those options. Currently, if a user connects on port 80 they are not forwarded to port 443 until after logging in and actually clicking a link on the website. They then are prompted to login a second time on port 443. Can Squid redirect to port 443 immediately before login or do I need to setup Apache to do this?

Ah, now it sounds like you believe or need one thing and your config is
doing yet another.

Fortunately they are easy to do:

At the top of the config after "http_port 80" add these:

   acl port80 myport 80
   deny_info https://site.company.org port80
   http_access deny port80

That will cause squid itself to send a 3xx moved fake 'error' message to
all port 80 requests. The users browser will then automatically
re-connect to port 443 before being asked to login.

NP: for anyone else trying to copy this: it only works on one domain
name at a time. Needs adjustment for virtual-hosted setups.

>
> Can I add in an ACL to permit users from certain IP ranges to access the site with having to authenticate to LDAP? I'm thinking about sending all users through Squid but I don't want to force users on our LAN to have to authenticate.
>

Yes. Just chain the acl names properly. An http_access allow line before
one that requires auth should do it.

http_access are checked top-down and first to match causes allow/deny.
They can be thought of as a boolean expression:
  http_access allow/deny if a AND b AND c AND d
  OR
  http_access allow/deny if a AND b AND !d (! being NOT)

Amos

-- 
Please use Squid 2.7.STABLE4 or 3.0.STABLE9