RE: [squid-users] ACL to match arbitrary reply header, in-memory fastauthentication

From: Adam Aube <[email protected]>
Date: Tue, 5 Aug 2003 08:34:10 -0400

> I am using Dansguardian to determine if something is porn, and
> I modified it to set a header (X-Naughty and X-Naughty-Why)
> so that the page would still go through, but squid should be
> able to identify it as naughty.

> The way I envision it working is, people can browse freely and
> unlogged until they get a page that dansguardian blocks, at
> which time they are sent to a login page (probably php here)
> that authenticates them to the network (using whatever method
> your network uses), then sends the username/ip pair to squid
> and is put in the struct.

If you're willing to sacrifice transparent proxying (replace with
auto-config script) and have found a way to match that header
with a Squid acl, you could save yourself some major work.

1) Setup an acl that matches the header

acl Naughty ...

2) Setup basic authentication by NCSA, LDAP, or whatever

auth_param basic ...
acl Login proxy_auth REQUIRED

3) Setup your http_access like this:

http_access allow !Naughty
http_access allow Naughty Login

It will only prompt for authentication for Naughty sites. You can
then filter the logs looking for an entry (instead of -)in the user
field.

Adam

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.237 / Virus Database: 115 - Release Date: 3/7/2001
Received on Tue Aug 05 2003 - 06:34:15 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:18:36 MST