Hi all, I am using Squid2.5STABLE1 on RH7.2, have successfully implemented ntlm authentication (after much grief related to getting Samba to compile properly). I was following another thread in this list about ntlm and not needing a proxy_auth line when using an external authenticator. Which turned out to be true, however it seems to also then allow non-authenticated use of the proxy! I see now that there are large numbers of lines in my logs where the 'user' is the machines IP address and the download is permitted. Previously they would be denied. Is this correct behaviour? I find I need:
acl password proxy_auth REQUIRED http_access deny all !password for access to non-authenticated users to be denied. Or am I doing something dumb(again!)? Also should I be able to use: acl staff external wb_group Teachers in http_access rule like: acl webmail dstdomain "/etc/dansguardian/blacklists/mail/domains" http_access allow webmail staff http_access deny webmail cause it doesn't seem to work for me, the docs seem to indicate that it is possible. 'Teachers' is a group on the NT Server. **************************************************************************** ******************************************** I believe the relevant lines of my conf file are below: auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/local/bin/smb_auth -W OLMC_CD -U 10.192.0.11 auth_param basic children 20 auth_param basic realm Poxy server at OLMC auth_param basic credentialsttl 1 hours external_acl_type wb_group %LOGIN /usr/local/squid/libexec/wb_group acl winauth external wb_group wwwusers acl staff external wb_group Teachers authenticate_ttl 1 hour authenticate_ip_ttl 300 seconds # TIMEOUTS # ACCESS CONTROLS acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl cachemanager src 10.192.0.21 acl SSL_ports port 443 563 4545 acl Safe_ports port 21 70 80 81 82 88 210 563 1010 1025-65535 1082 4545 acl CONNECT method CONNECT acl webdav method PROPFIND TRACE PURGE PROPPATCH MKCOL COPY MOVE LOCL UNLOCK acl password proxy_auth REQUIRED http_access deny all !password _________________________________________ Simon Bryan IT Manager OLMC Parramata ICQ#: 137562751 _________________________________________
