Re: [squid-users] Two authentication helpers in one instance

From: Henrik Nordström <>
Date: Tue, 30 Aug 2011 16:16:30 +0200

tis 2011-08-30 klockan 14:19 +0200 skrev Rafal Zawierta:

> Is it possible to use dual authentication helpers in one squid3 instance.

Kind of, but only one of each authentication type.

> If user is in WinNT domain, he is authenticated against AD in negotiate mode.
> If user is not in in AD, then he is prompted for password.

Unfortunately not how the browsers works.

The selection is done by the browser based on the capabilities of the
browser, not if the user is logged on to a domain. If the browsre is
capable of performing Kerberos authentication then it will either use
the already logged in AD credentials or promt the user for AD
credentials, verified by the negotiate auth helper. If the browser is
not capable of kerberos authentication it will prompt for plain username
+ password authentication validated by the basic auth helper.

> But next, I'd like to match all users that are authenticated with
> basic mode in separate acl. I'm able to use some regex with that
> usernames - for example guest_ prefix in username.
> Is it possible?

Yes. See proxy_auth and proxy_auth_regex acl types.

Received on Tue Aug 30 2011 - 14:16:39 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 30 2011 - 12:00:02 MDT