Thank you Amos as always. My current configuration has not changed much, it is as follows:
visible_hostname s-px4.mydomain.local http_port 3128 error_directory /opt/squid-503/share/errors/es-ar forwarded_for transparent shutdown_lifetime 0 seconds quick_abort_min 0 KB quick_abort_max 0 KB quick_abort_pct 100 read_timeout 5 minutes request_timeout 3 minutes cache_mem 1024 MB maximum_object_size_in_memory 4 MB memory_cache_mode always ipcache_size 2048 fqdncache_size 4096 cache_mgr support@mydomain.local httpd_suppress_version_string on coredump_dir /opt/squid-503/var/cache/squid auth_param negotiate program /opt/squid-503/libexec/negotiate_kerberos_auth -i -r -s GSS_C_NO_NAME auth_param negotiate children 300 startup=150 idle=10 auth_param negotiate keep_alive on auth_param basic program /opt/squid-503/libexec/basic_ldap_auth -P -R -b "dc=mydomain,dc=local" -D "cn=ldap,cn=Users,dc=mydomain,dc=local" -W /opt/squid-503/etc/ldappass.txt -f sAMAccountName=%s -h s-dc00.mydomain.local auth_param basic children 30 auth_param basic realm Proxy Authentication auth_param basic credentialsttl 4 hour external_acl_type NO_INTERNET_USERS ttl=3600 negative_ttl=3600 %LOGIN /opt/squid-503/libexec/ext_kerberos_ldap_group_acl -g INTERNET_OFF -i -D MYDOMAIN.LOCAL acl NO_INTERNET external NO_INTERNET_USERS acl SSL_ports port 443 acl SSL_ports port 8543 # LiveU Central acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 81 # coto "yo te conozco" donkey ports acl Safe_ports port 623 # coto "yo te conozco" donkey ports acl Safe_ports port 8543 # LiveU Central management acl Safe_ports port 18255 # LiveU Central files download acl Safe_ports port 33080 # ddjj acl Safe_ports port 9090 # asociart acl Safe_ports port 8713 # handball results acl Safe_ports port 8080 # cponline.org.ar # Lists of domains and IPs acl LS_winupddom dstdomain "/opt/squid-503/acl/winupddom.txt" acl LS_whitedomains dstdomain "/opt/squid-503/acl/whitedomains.txt" acl LS_blackdomains dstdomain "/opt/squid-503/acl/blackdomains.txt" acl LS_porn dstdomain "/opt/squid-503/acl/porn.txt" acl DOM_Malware dstdomain "/opt/squid-503/acl/DOM_Malware.txt" acl IP_Malware dst -n "/opt/squid-503/acl/IP_Malware.txt" acl LS_webex dstdomain "/opt/squid-503/acl/webex.txt" # Access lists acl http proto http acl port_80 port 80 acl port_443 port 443 acl port_9000 port 9000 acl port_5061 port 5061 acl port_5065 port 5065 acl CONNECT method CONNECT # Denied internet to member users of INTERNET_OFF group http_access deny NO_INTERNET all # Allow webex without authentication http_access allow http port_80 LS_webex http_access allow CONNECT port_443 LS_webex http_access allow port_9000 LS_webex http_access allow port_5061 LS_webex http_access allow port_5065 LS_webex http_access deny LS_blackdomains http_access deny LS_porn http_access deny DOM_Malware http_access deny IP_Malware # default SQUID rules http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny to_localhost http_access allow localhost # Apply 20Mbit/s QoS to members of Active Directory Authenticated Users group acl Domain_Users note group AQUAAAAAAAUVAAAA7TIfbORUj8PLQv4YAQIAAA== delay_pools 1 delay_class 1 1 delay_parameters 1 2500000/2500000 delay_access 1 allow Domain_Users # Allow authenticated users to use internet and deny to all others acl authenticated proxy_auth REQUIRED http_access allow authenticated http_access deny all Thank you very much in advance for your valuable help. Best regards Gabriel El mar., 29 de sep. de 2020 a la(s) 07:46, Amos Jeffries ( squ...@treenet.co.nz) escribió: > On 29/09/20 3:55 am, Service MV wrote: > > In my case I have the domains, for example from webex, which I get from > > their official support page. It seems that I am doing something wrong or > > I am not understanding well. > > I base on this documentation > > https://wiki.squid-cache.org/ConfigExamples/Authenticate/Bypass > > > > The error I get is 407. I understand I should not request authentication > > to those domains with the configuration I have, but apparently it does. > > > > In the (possibly outdated now) config you showed earlier the > "NO_INTERNET" ACL might produce a 407 if credentials are completely > missing, but not re-auth if they are invalid. > If you wish to have a free audit please post your current squid.conf > rules and I will comment on useful changes. > > > > Below I have a bandwidth control configuration with acl note, I don't > > know if that will be triggering the webex client authentication request. > > Maybe someone with more experience can tell me. > > "note" ACL will match if the data is available but not trigger > authentication sequences. That is what makes it so useful for fast-group > access checking logins. > > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
