On 2/04/2012 5:54 p.m., Jasper Van Der Westhuizen wrote:
-----Original Message-----
From: Amos Jeffries
On 30/03/2012 11:45 p.m., Jasper Van Der Westhuizen wrote:
Hi everyone
I've been struggling to get a very specific setup going.
Some background: Our users are split into "Internet" users and "Non-Internet" users.
Everyone in a specific AD group is allowed to have full internet>>access. I have two SQUID proxies with
squidGuard load balanced with NTLM authentication to handle the group authentication. All traffic also then
gets>>sent to a cache peer.
This is basically what I need:
1. All users(internet and non-internet) must be able to access sites in
"/etc/squid/lists/whitelist.txt"
2. If a user wants to access any external site that is not in the whitelist then he
must be authenticated. Obviously a non-internet user can try until he is
blue>>in the face, it won't work.
These two scenarios are working 100%, except for one irritating bit. Most of the
whitelisted sites have got linked websites like facebook or twitter or>>yourtube in
them that load icons and graphics or adds etc. This causes a auth-prompt for non-internet
users. I can see the requests in the logs being0>>DENIED.
The only way I could think of getting rid of these errors was to
implement a "http_access deny !whitelist" after the allow. This works
great for non-internet users and it blocks all the linked sites
without asking to authenticate, but obviously this breaks access to
all other sites for authenticated users.(access denied for all sites)
You can use the "all" hack and two login lines:
http_access allow whitelist# allow authed users, but dont challenge if missing
auth http_access allow authed all # block access to some sites unless
already>logged in http_access deny blacklist http_access deny !authed
The authed users may still have problems logging in if the first site they visit is one of
the "blacklist" ones. But if they visit another page first they can login>and
get there.
Amos
Hi Amos
Thank you for the reply.
I think I already tried this method but it still fails. In any case I tried
what you suggested and the problem remains that my
unauthenticated(non-internet) users can get to the whitelisted sites just fine,
but they still get authentication prompts for the linked content like facebook
and youtube that the site contains. An example of a site is
http://www.triptrack.co.za/ and you will see what I mean. At the bottom right
of the site there are links to facebook and youtube. Those links cause a
authentication request to the unauthenticated(or non-internet) users. I can't
have these prompts appear for these users. They have a set list of sites they
can visit, and it should work for them and should not get asked to
authenticate. Only once they try and go directly to sites that are not in the
whitelist, should they be prompted, and obviously denied since they are not
included in the AD group.
The problem of course is that they *are* going "directly" to the
blacklisted sites when they load an object from those sites. Even if the
object was embeded in some third-party whitelisted sites HTML.
HTTP protocol makes no distinctions about how HTML, XML, or Flash
document structures group objects. All Squid sees is a request for an
object on a non-whitelisted site.
Current rules:
http_access allow whitelist
http_access allow authenticated all
http_access deny blacklist
http_access deny !authenticated
Kind Regards
Jasper
