[squid-users] Squid and Firewall rules

From: GG BB <[email protected]>
Date: Mon, 1 Mar 2004 10:45:54 +0100 (CET)

Hi List!

I'm actually working with
squid-2.5.STABLE3 installed on a Slackware 7.2

this box acts as a Gateway, Firewall and VPN(FreeSWAN)
so I've set up my own private LAN and users

It's all working fine now, Squid, Firewall, and so on,
I just need that all users on the private LAN -MUST-
go through the Squid-Firewall Box to surf the WEB..

at the moment I've added the Transparent Proxy
iptables rule on my Firewall settings, through which
all traffic passing through port 80 is then redirected
to my Squid-Firewall box, on port 3128.

-- iptables -t nat -A PREROUTING -i eth1 -p tcp
--dport 80 -j REDIRECT --to-port 3128 --

But with this rule in, I get that all users, even if
they don't set their Browsers to use a Proxy, can surf
the WEB withouth being authenticated by Squid, but
passing through the Proxy anyway (in fact I can see
them on my Access.log file)

what I wish to do is to set the Squid or Firewall
settings to impose a Squid Authentication even if my
users don't set their Browsers to use a Proxy, so

USER1 Browser-configured --> Authentication = Allowed

USER2 NoBrowser-configured --> Authentication or ERROR
You are not allowed to ...

I hope I've been clear enough ,if not, please ask for
more information ..
here are my Squid settings:

## GENERIC SETTINGS

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
emulate_httpd_log on
auth_param basic program
/etc/webmin/squid/squid-auth.pl
/etc/webmin/squid/users
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

## ACLs

acl myPwd proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl mylan src 10.4.4.4/24
acl manager proto cache_object
acl localhost src 192.168.1.80
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

## HTTP_ ACCESS SETTINGS

http_access deny to_localhost
http_access deny !mylan
http_access allow myPwd
http_access allow mylan
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

Thanks !!

______________________________________________________________________
Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi allegati, l'antivirus, il filtro Anti-spam
http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/
Received on Mon Mar 01 2004 - 03:35:54 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:01 MST