hello,
we use so called "tunnel sites" with our proxy configuration. that means, we
have two types of users: 1) user with (full) internet access, 2) users which
only allowed to access certain websites. for this we have setup an acl which
lists domains that are free to access
dstdomain .some.site
dstdomain .free.site
dstdomain .foo.com
the problem comes up, when these sites include stuff from other sites. most of
the time ads, statitics. etc. so we have not only have to list the sites but
also list "all" other sites. eg.
dstdomain .some.site
dstdomain .ad.server
dstdomain analytics.google.com
dstdomain .ivwbox.de
this is quite annoying. both for us but also for our users. we use ntlm auth.
when they access those "tunnel" sites it happens that the (basic ntlm) auth
dialog coming up, as the user was authenticated but not allowed to access
internet, so squid asks for a user/password which has internet access.
is there any chance to change this? when an ad banner is included from another
site, squid can't really know that this is a "good" ad because it comes from a
free tunnel website.
there is a authenticate_ttl which "caches" successfull authentications. is
there a way to have also not successfull authentications to be
cached/rememebered for a certain time? eg. ask for authentication, user hits
cancel and squid won't ask for another authentication for the next hour or so...
is there any other way to solve this problem?
--
mit freundlichen Grüßen
Markus Rietzler - <rietzler_software/>
Rechenzentrum der Finanzverwaltung NRW
