Hello Squid-Community! I need your help with a rather non-standard config. My aim is as following: -> Users that use my proxy (will deploy it via group policy in AD) should be able to use my proxy without authentication -> if a user invokes SquidGuard (he wants to call up a URL on my blacklists), he should get prompted for his username and password -> only users of the AD-group webusers should be able to continue and go to this site on the blacklist I know, it isn't the best way to use SquidGuard, but a customer wants it that way.
My current config is as following: auth_param basic program /usr/lib/squid/basic_ldap_auth -R -b "dc=xxxx,dc=local" -D testuser@xxxx.local -W /etc/squid/squid.secrets -f sAMAccountName=%s -h 172.30.0.36 auth_param basic children 10 auth_param basic realm xxxx auth_param basic credentialsttl 2 hours external_acl_type webusers %LOGIN /usr/lib/squid/ext_ldap_group_acl -b "dc=xxxx,dc=local" -D testuser@xxxx.local -W /etc/squid/squid.secrets -f "(&(sAMAccountName=%v)(memberOf=cn=%a,cn=Users,dc=xxxx,dc=local))" -h 172.30.0.36 authenticate_ip_ttl 1 second acl auth proxy_auth REQUIRED acl no_webusers dstdomain .xxxx.at acl ldapgroup_webusers external webusers webusers acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny !auth http_access allow no_webusers http_access allow ldapgroup_webuser http_access deny all http_port 3128 url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf url_rewrite_children 4 So my users get prompted for their username/passwords everytime they restart their browser. If they call up a domain on my blacklists, they get ACCESS DENIED. Does anyone know how you can achieve this? Until know, I tried really hard, thought it would be a good idea to ask the user-list! Regards, Kevin -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Authentication-if-URL-is-on-a-Blacklist-from-SquidGuard-tp4681950.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
