Re: [squid-users] negative ACL

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 20 Jul 2012 11:22:11 +1200

On 20/07/2012 7:47 a.m., Rick Chisholm wrote:
> I have an NTLM auth proxy, but a number of apps do not seem to be smart
> enough to pass credentials and this generates numerous squid
> authentication pop-ups for users. I'm trying to eliminate this.

NTLM is inefficient and now deprecated as well. A bunch of those apps
you will find happy to use Negotiate/Kerberos authentication, any
Windows 7 and Vista client software will be in that group. Upgrade to
Kerberos is recommended.

Anyways...

>
> I was thinking of creating a browser ACL with entries the will cover the
> browsers in use on the network and then try to use a NOT operator like
>
> http_access allow !known_browsers
>
> before the auth required setting.
>
> thoughts?

That particular logic is a bit tricky and allows users through the proxy
without auth if you make any mistakes in the browser regex pattern (or
they fake their UA string).

I would pick a whitelist style of known-ok agents to send the auth
challenge to.

   http_access allow known_browsers authAcl

That way any mistakes will result in visible auth popups, not a silent
allow.

Amos
Received on Thu Jul 19 2012 - 23:22:26 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 20 2012 - 12:00:01 MDT