RE: [squid-users] authentication pass through upstream server

From: Mark Engels <[email protected]>
Date: Tue, 23 Feb 2010 15:57:46 +1030

Mark Engels wrote:
> Hello all,
>
> Im hopeing this is the place to come when seeking some assistance with a squid proxy configuration issue thats giving myself a little grief, and i certainly hope nothing like this has been asked before.
>
> The general idea of what im trying to accomplish is to have a end user enter their username and password credentials as they normaly would do, (there is quota enforcement and site blocking higher up that i have limited control over) and have it so that when a user say goes to www.educationalmaterial.com the local squid proxy users a pre defined username and password to access the material thus not charging the user quota download costs for accessing the material.
>
> The proxy server was supplied to us from head office with pre configured rules to work as a local cache. I hope to leave all the existing rules in place. also all our internet service must filter through this 1 provided proxy, we cannot source external internet or alternet proxies..
>
> A portion of the configuration file is as below.
>
> #####
>
> cache_peer proxy.site.com parent 8080 3130 no-query default login=PASS
> auth_param digest children 5
> auth_param digest realm Squid proxy-caching web server
> auth_param digest nonce_garbage_interval 5 minutes
> auth_param digest nonce_max_duration 30 minutes
> auth_param digest nonce_max_count 50
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> acl block url_regex -i "d:/squid/var/logs/block.conf"
> acl unblock url_regex -i "d:/squid/var/logs/unblock.conf"
> acl nocache url_regex -i "d:/squid/var/logs/nocache.conf"
> no_cache deny nocache
> http_access deny block !unblock
> http_access allow all
> http_access deny all
> http_reply_access allow all
>
>
> #####
> i thought it would be a simple thing to make the required changes and started to aproach with adding the following
> #####
>
> cache_peer proxy.site.com parent 8080 3130 no-query login="free user":pa$$word name=free
> cache_peer_access free allow free_sites
> cache_peer_access free deny all
> acl free_sites url_regex -i "d:/squid/var/logs/freesites.conf"
>
> #####
>
> unfortunately this seemed to break the local cache and im not too sure where ive gone wrong. any help in this or even an alternate solution would be greatly apreciated.
>

You have the right idea. Thats how its done.
But whitespace is not permitted in the parameter.

What you have there is no password with username "free .

> note: changed proxy name and user credentials for privacy reasons, and running squid 2.5 on local and upstream server.
>

Please see my sig... :)

Your HQ provider may need to be made aware that there is no longer any
official support for 2.5. The oldest fully supported version is now 2.7.

Amos

Thankyou for your help amos :)
unfortunately i doubt HQ will even consider changing this system under the current management as it effects tens of thousands of users... education ;-)
perhaps you might be able to help again, all of our users must have a space in their account name. it is mandatory in account creation. would there be a way arround this? (perhaps %20 like in html?) i hope the solution isnt in the 3.0 version of squid or that a work arround for 2.5 might be available?
Received on Tue Feb 23 2010 - 05:28:57 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 23 2010 - 12:00:06 MST