[squid-users] Re: Kerberos authentication that doesn't block

From: Trever L. Adams <trever.adams_at_gmail.com>
Date: Fri, 30 Aug 2013 09:27:25 -0600

> On 30/08/2013 4:32 a.m., Trever L. Adams wrote:
>> Hello everyone,
>>
>> I am having a difficult time. I am not just trying to do something
>> similar to
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass, but
>> without blocking most sites for unauthenticated users.
>
> It is a key property of secure authentication such as Kerberos that no
client *starts* by shotgunning their credentials to unknown recipients.
>
I understand this. And I understand the Squid has to challenge.

>> The sites I need to block except for certain groups / authentication,
>> etc., are not known at http_access time, only at http_reply_access time.
>>
>> Because of this, I am not sure how to trigger the negotiate process and
>> not block authenticated users. The below does not work. I am not sure
>> why it doesn't, but it does block on access control / authentication for
>> all web sites, not just the category blocked (yes, I left the deny on
>> http_reply_access out below, but it exists).
>
> How are you defining "blocking"?
>
> And how do you expect authentication to be performed without
credentials to verify?
>
> Amos

I get an error if no credentials or incorrect credentials are sent. It
comes up and says "Cache Access Denied" or some such.

I have unauthenticated guests on the network in question. These should
fail to authenticate or refuse to as the case may be. They should be
able to access most web pages.

The problem is there are some categories (AI page classifier in use
here) of pages that should only be available to a subset of
authenticated users. So, somehow, I need to try to get users to
authenticate. Things should work whether or not they do. If they do, and
they are in appropriate groups (looking at writing a lua external acl at
the moment, but the wbinfo one can be used if not) then they can access
certain categories.

I do have transparent proxying working, so if this cannot be done, I may
just have the users not authenticating use that, but that defeats the
caching part of the setup which is very much desired.

Thank you for the response and any help that may be offered,
Trever

Received on Fri Aug 30 2013 - 15:27:33 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 30 2013 - 12:00:16 MDT