Chris Robertson wrote:
-----Original Message-----
From: Oliver Hookins [mailto:ohookins@xxxxxxxxx]
Sent: Monday, February 07, 2005 3:34 PM
To: Chris Robertson
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: Re: [squid-users] Can't see usernames in logs after enabling
NTLM
Chris Robertson wrote:
If you want all requests to be authenticated first, use "http_access deny
!AuthGroup" at the top. That way any requests from sources that are not
authenticated will be denied and asked for authentication. Requests that
are authenticated will pass on down to the next ACL (not being explicitly
denied, but not explicitly allowed either).
The authentication method is just passing through fakeauth to grab
usernames anyway so it's not quite authentication as such. But basically
we want all requests to pass through fakeauth in order to grab usernames.
Then we want to:
* allow access to anyone who is authorised by LDAP group
* requests that aren't LDAP group authorised but ARE on the SURFING IP
ACL list should be allowed
* requests that aren't LDAP authorised and aren't from an IP on the
SURFING ACL but are to an allowedsite should be allowed
* deny everything else
http_access allow AuthGroup
http_access allow SURFING
http_access allow allowedsites
http_access deny all
Will that do it, and grab authentication details for every request?
Thanks,
Oliver
Here is how I read your setup:
Everyone is prompted for authentication (which is passed to fakeauth_auth,
and so passes) and the credentials are tested against LDAP (http_access
allow AuthGroup). If the credentials map to an allowed group the person
surfs wherever they wish, otherwise the client IP is checked against allowed
sites. If the client IP is listed in SURFING they are allowed to surf
wherever they wish, otherwise their destination domain is checked against
allowedsites. If found, the request is allowed.
So to be denied, it has to be someone not in an authorized LDAP group,
surfing from a computer not in the SURFING IP range going to a site not
listed in allowedsites. In any case, all transactions are logged to
whatever name the surfer provided to the authentication request.
That should about cover it...
Chris
Yes that is exactly right. Thanks very much, Chris!
Oliver