[squid-users] RE: redirect authenticate and surf

From: James Ambursley <[email protected]>
Date: Tue, 18 Mar 2003 06:13:02 -0500

I would like non authenticated users to be rediercted to an internal site and have no access. I would like users when they initially connect to be redirected to a internal web site. Then they will authenticate with a link on the web site via radius and then surf.
Squidguard redirects users to the internal site. After the users authenticate they should be allowed to surf freely.
 

-----Original Message-----
From: Rick Matthews [mailto:Rick@Matthews.net]
Sent: Monday, March 17, 2003 10:00 PM
To: James Ambursley
Cc: Squidguard@Squidguard. Org
Subject: RE: redirect authenticate and surf

James Ambursley writes:
>
> Please help, I would like to have users authenticate, via radius
> and redirect to a page. Only authenticated users can surf freely.
> All users are redirected to the page, then authenticate, then surf
> freely.

If I am interpreting correctly, the two important points from your
statements above are:

> users authenticate via radius
> Only authenticated users can surf freely.

Is that meant to be different from "Only authenticated users are
allowed access"? Do you want to allow limited access to
non-authenticated users?

What part do you want squidGuard to play in this?

Does your squid configuration authenticate properly without
squidGuard? (comment out redirect_program)

> I have tried many combinations, and none work.

I guess I need to better understand what you are trying to do. Squid
can handle authentication and access control. Get that part working
first before you factor squidGuard into the mix.

> My redirector is squidguard. I have been able to redirect, but
> users at the page are only able to surf to pages which I preset in
> my list file.

That's exactly what you told squidGuard to do in squidGuard.conf:
- You haven't defined any source groups, so everyone is processed
  under the default acl.
- The default acl is "pass test none". This says to allow access
  to the test destination group, which you said includes 4 domains.
- If the incoming request is not for one of those 4 domains, you've
  told squidGuard to redirect anybody and everybody to:
  "http://10.190.1.86/?"

Please provide additional information so that we can help.

Rick

> _________________________________________________________
> My squid.conf is below:
>
> http_port 80
> icp_port 80
> httpd_accel_host 10.190.1.86
> acl acceleratedHost dst 127.0.0.1/255.255.255.255
> httpd_accel_port 80
> httpd_accel_host 127.0.0.1
> udp_incoming_address 0.0.0.0
> udp_outgoing_address 255.255.255.255
> hierarchy_stoplist cgi-bin ?
> #acl QUERY urlpath_regex cgi-bin \?
> acl QUERY url_regex cgi-bin \?
> no_cache deny QUERY
> no_cache deny acceleratedHost
> #requests for localhost not going to peer
> always_direct allow acceleratedHost
> cache_dir ufs /usr/local/squidtest/var/cache 100 16 256
> cache_access_log /usr/local/squidtest/var/logs/access.log
> cache_log /usr/local/squidtest/var/logs/cache.log
> log_ip_on_direct on
> pid_filename /usr/local/squidtest/var/logs/squid.pid
> hosts_file /etc/hosts
> cache_effective_user squid
> cachemgr_passwd secret password
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> negative_ttl 2 minutes
> emulate_httpd_log on
> #
> #USER ACCESS PART
> auth_param basic program /opt/squid/auth/bin/squid_rad_auth -c /opt/squid/auth/etc/squid_rad_auth.conf
> auth_param basic children 10
> #auth_param basic realm MY Squid proxy-caching server
> auth_param basic credentialsttl 1 minutes
> redirect_program /usr/local/squidguard/bin/squidGuard -c /usr/local/squidguard/squidguard.conf
> redirect_children 20
> #acl foo proxy_auth REQUIRED
> #acl foo proxy_auth username
> #http_access allow foo
> #acl daytime time 08:00-17:00
> #authenticate_ttl 30 seconds
> #
> acl allowed_hosts src 10.190.1.0/255.255.255.0
> acl all src 0.0.0.0/0.0.0.0
> http_access allow allowed_hosts
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 110 # pop3
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 25 # smtp
> #acl Safe_ports port 70 # gopher
> #acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> #acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> #http_access allow redirect_access
> #http_access allow foo
> http_reply_access allow Safe_ports
> icp_access allow Safe_ports
> visible_hostname MYSQUID
> httpd_accel_single_host on
> httpd_accel_with_proxy on
> forwarded_for on
> log_icp_queries on
> error_directory /usr/local/squidtest/share/errors/English
> ie_refresh off
> #http_access allow bar
> http_access allow all
> http_access allow localhost
> http_access allow acceleratedHost
> #http_access allow acceleratedPort
> http_access allow Safe_ports
> http_access allow localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> _______________________________________________________________
>
> my squidguard.conf is below
>
> logdir /usr/local/squidguard/logs
> #dbhome /usr/local/squidguard/db
> dest test {
> domainlist /usr/local/squidguard/list
> }
>
> acl {
> default {
> pass test none
> redirect http://10.190.1.86/?
> }
> }
>
> My allowed list:
>
> more /usr/local/squidguard/list
>
> excite.com
> winproxy.com
> buy.com
> imgfarm.com
>
>
Received on Tue Mar 18 2003 - 04:12:41 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:06 MST