Re: [squid-users] Fwd: config squid to set specific acl delay pools for username and then set it to the ip addr of username

From: Daniyal Khorashadi Zadeh <daniyal.khorashadizadeh_at_gmail.com>
Date: Mon, 13 May 2013 13:48:02 +0430

What do you mean by 'pushing the proxy settings over' ?
How can I accomplish what you are saying ?

On Mon, May 13, 2013 at 1:39 PM, Daniyal Khorashadi Zadeh
<daniyal.khorashadizadeh_at_gmail.com> wrote:
> What do you mean by 'pushing the proxy settings over' ?
> How can I accomplish what you saying ?
> And Thank you very much for your concern guys :)
>
>
> On Mon, May 13, 2013 at 1:13 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>
>> On 13/05/2013 8:26 p.m., Alex Domoradov wrote:
>>>
>>> On Mon, May 13, 2013 at 11:18 AM, Amos Jeffries <squid3_at_treenet.co.nz>
>>> wrote:
>>>>
>>>> On 13/05/2013 5:54 p.m., Alex Domoradov wrote:
>>>>>
>>>>> You can use acl apr, for example
>>>>>
>>>>> acl BIG_BOSS arp 01:02:03:04:05:06
>>>>>
>>>>> On Mon, May 13, 2013 at 8:11 AM, Daniyal Khorashadi Zadeh wrote:
>>>>>>
>>>>>> Assume your executive of corporation, sit on his clerk desk PC, and
>>>>>> login to his username on the network (authenticate with Active
>>>>>> Directory), of course he wants his full access to internet, but he
>>>>>> can't because his IP address is different from what we set in squid
>>>>>> for his PC.
>>>>>>
>>>>>> we authenticate users in Active Directory, and set their gateways to
>>>>>> squid server so we have a Transparent squid. we don't want our users
>>>>>> to be authenticate for second time in Browser...
>>>>
>>>>
>>>> This makes no sense at all. It is a simple matter for the browser to
>>>> send
>>>> the already authenticated AD credentials to Squid for Squid to conform
>>>> them
>>>> with AD. It's called single-sign-on to most people familiar with MS
>>>> products, and works with all forms of HTTP auth.
>>>
>>> will it work with transparent mode?
>>
>>
>> Ah "transparent". single-sign-on *is* "transparent" authentication. Except
>> that is not at all what you mean.
>>
>> The "transparent" interception you use is only getting in the way because
>> you are not pushing the proxy settings over, just the gateway settings. If
>> you push *both* over to the client then all software which uses the proxy
>> settings correctly will be able to do single-sign-on, for a transparently
>> configured and authenticated proxy. The ones which do not will have to use
>> interception and can be controlled with different security settings in the
>> proxy.
>>
>>
>>>
>>>> It is also a simple matter for Squid helpers to take the IP (or EUI /
>>>> MAC
>>>> address even) and verify them against AD to confirm there is a user
>>>> logged
>>>> in on that machine and retrieve the details of said user back to Squid.
>>>> The
>>>> external ACL helpers routinely do this for group checks.
>>>>
>>>> However, if you base the Squid security all on the IP or MAC you
>>>> *always*
>>>> run the risk of an attacker hijacking the machine or even just spoofing
>>>> that
>>>> clients IP/MAC details to bypass your Squid security controls.
>>
>>
>>
>> Amos
>
>
Received on Mon May 13 2013 - 09:18:14 MDT

This archive was generated by hypermail 2.2.0 : Mon May 13 2013 - 12:00:05 MDT