[squid-users] Allowing linked sites - NTLM and un-authenticated users from Jasper Van Der Westhuizen on 2012-03-30 (squid-users)

From: Jasper Van Der Westhuizen <javanderwesthuizen_at_shoprite.co.za>
Date: Fri, 30 Mar 2012 12:45:24 +0200

Hi everyone

I've been struggling to get a very specific setup going.

Some background: Our users are split into "Internet" users and "Non-Internet" users. Everyone in a specific AD group is allowed to have full internet access. I have two SQUID proxies with squidGuard load balanced with NTLM authentication to handle the group authentication. All traffic also then gets sent to a cache peer.

This is basically what I need:
1. All users(internet and non-internet) must be able to access sites in "/etc/squid/lists/whitelist.txt"
2. If a user wants to access any external site that is not in the whitelist then he must be authenticated. Obviously a non-internet user can try until he is blue in the face, it won't work.

These two scenarios are working 100%, except for one irritating bit. Most of the whitelisted sites have got linked websites like facebook or twitter or yourtube in them that load icons and graphics or adds etc. This causes a auth-prompt for non-internet users. I can see the requests in the logs being DENIED.

The only way I could think of getting rid of these errors was to implement a "http_access deny !whitelist" after the allow. This works great for non-internet users and it blocks all the linked sites without asking to authenticate, but obviously this breaks access to all other sites for authenticated users.(access denied for all sites)

I thought of placing the whitelisted sites in squidGuard but NTLM authentication happens in squid, before it reaches squidGuard.

Here is an excerpt from my config file:
--cut--
### Whitelisted sites for all users
acl whitelist dstdomain "/etc/squid/lists/whitelist.txt"

acl authenticated proxy_auth REQUIRED

http_access allow whitelist
http_access allow authenticated !whitelist
http_access deny all
--cut--

What I basically need is something like "http_access deny !whitelist !authenticated" which means deny all sites not in whitelist for users who are not authenticated. Can this be done?

Any suggestions would be greatly appreciated.

Kind Regards
Jasper
Received on Fri Mar 30 2012 - 10:51:57 MDT

This archive was generated by hypermail 2.2.0 : Sat Mar 31 2012 - 12:00:04 MDT