RE: [squid-users] redirecting unauthenticated users

Hi Amos,

Thanks very very much for your help. I'm not really trying to authenticate
to an external web site, only Squid is involved.

What I'm trying to do is:

1 http_access allow all
# redirector program
2 http_access2 allow freesites
3 http_access2 allow AuthUsers
4 http_access2 deny all

- User opens browser. (no auth yet)
- Homepage tries to load, redirector sees no username => redirect to welcome
page (+ link to google), allowed by acl 2
- User clicks on the external link => not in acl 2, but allowed by acl 3 =>
Squid asks for auth
- User enters user+pass in browser (proxy-auth), validated by Squid. Squid
has now a valid username and password.

So far, so good. This all works fine.
- now every next page should pass the redirector as this

Problem:
Due to acl 1, Squid doesn't pass a username to the rewriter program and even
after a succesfull auth, the redirector keeps redirecting to the welcome
page due to the missing username.
If I put acl 3 before the redirector, Squid nicely sends the username with
the requested url.

Can this be resolved?

Kind regards,
Philippe

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Monday, April 27, 2009 02:58
To: Philippe Boeij
Cc: squid-users_at_squid-cache.org
Subject: Re: [squid-users] redirecting unauthenticated users

>
> Hi,
>
> I have a question. I'd like to have squid configured for the following:
>
> - User opens browser (with squid proxy configured) and gets redirected
> to a login page
> - The browser prompts asks for a proxy username/ password.
> - if the user provided a good username/password, he/she can click on
> an icon to get redirected to the original requested page.
>
> squid.conf (using version 2.7stable5) part:
>
> acl all src all
> acl freesites dstdomain login.mydomain.local
> acl AuthUsers proxy_auth REQUIRED
>
> http_access allow all
> # process redirector program between http_access and
> http_access2,
> # result depends on the fact if a username exists.
> http_access2 allow freesites
> http_access2 allow AuthUsers
> http_access2 deny all
>
> Problem is that this way the redirector program never gets any
> username passed although the user is asked for a user/pass.
>
> This works partially (username gets passed):
>
> http_access allow AuthUsers
> # -> process redirector program between http_access and http_access2
> http_access2 allow all
>
> But now I can't redirect to a nice welcome page before the
> username/password prompt...
>
>
> Please someone help.
>
> Many thanks.
>
> Philippe
>

You have a conceptual problem here.

What you are attempting to do is get the browser to authenticate against the
proxy by sending authentication details to a web server somewhere else.

What you need instead is one of two captive portal solutions:

 1) authenticate against the proxy directly, no fuss.

  http_access allow freesites
  http_access deny !AuthUsers
  http_access deny all

 2) use an external_acl_type helper to perform side-band authentication
based on IP using details gathered from the website login.

  external_acl_type foo ...
  acl AuthsUsers external foo

  http_access allow freesites
  http_access allow AuthUsers
  deny_info http://login.mydomain.local all
  http_access deny all

(2) has cons in that it assumes you are able to create a working auth scheme
where experts often fail. Also that every visitor has a unique IP/headers
(no sharing, no NAT) and forgery is ignored.

Amos
Received on Mon Apr 27 2009 - 18:46:48 MDT