RE: [squid-users] Reverse proxy with LDAP authentication from Andrew Struiksma on 2008-09-30 (squid-users)

From: Andrew Struiksma <astruiksma_at_esd189.org>
Date: Tue, 30 Sep 2008 09:57:06 -0700

> At the top of the config after "http_port 80" add these:
>
> acl port80 myport 80
> deny_info https://site.company.org port80
> http_access deny port80
>
> That will cause squid itself to send a 3xx moved fake 'error'
> message to all port 80 requests. The users browser will then
> automatically re-connect to port 443 before being asked to login.
>
> NP: for anyone else trying to copy this: it only works on one
> domain name at a time. Needs adjustment for virtual-hosted setups.
>
> >
> > Can I add in an ACL to permit users from certain IP ranges
> to access the site with having to authenticate to LDAP? I'm
> thinking about sending all users through Squid but I don't
> want to force users on our LAN to have to authenticate.
> >
>
> Yes. Just chain the acl names properly. An http_access allow
> line before one that requires auth should do it.
>

Thanks for your help! This is my new config that seems to be working fine:

---------------------
http_port 80 defaultsite=mysite.company.org
https_port 443 cert=/etc/ssl/certs/company.cert key=/etc/ssl/certs/company.key defaultsite=mysite.company.org

#redirects all http traffic to https
acl port80 myport 80
deny_info https://mysite.company.org port80
http_access deny port80

cache_peer mysite.company.org parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=myAccel
acl our_sites dstdomain mysite.company.org
acl all src 0.0.0.0/0.0.0.0

auth_param basic program /usr/lib/squid/ldap_auth -R -b "dc=company,dc=org" -D "cn=squid_user,cn=Users,dc=company,dc=org" -w "password" -f sAMAccountName=%s -h 192.168.1.2
auth_param basic children 2
auth_param basic realm Our Website
auth_param basic credentialsttl 2 hours

#these networks can access mysite without authenticating
acl trusted_nets src 10.2.1.0/24
acl trusted_nets src 192.168.1.0/24

acl ldap_users proxy_auth REQUIRED

http_access allow trusted_nets our_sites
http_access allow ldap_users our_sites

cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all

never_direct allow our_sites
---------------------

You mentioned supporting multiple hosts. Is it relatively easy for a squid reverse proxy to provide access to several internal servers (I.e. mysite.company.org, mysite2.company.org, etc)?

Andrew
Received on Tue Sep 30 2008 - 16:57:43 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 01 2008 - 12:00:03 MDT