Hello, I am running a Mac OS X Server (10.3.7) that among other things does web hosting (for our webpage) and proxy caching and authentication with squid. I have two versions of squid running with dansguardian in the middle for content filtering. The first version of squid does the authentication to see if the user is allowed onto the internet (this is at a school where teacher accounts are granted access to the internet but students are not) along with a bit of blocking based on bad words in the URL. The second instance of squid is there to do the caching and to communicated with dansguardian. Everything seems to be working great - except that client machines on my network can't get to our homepage. This is what part of my squid configuration looks like (below the http_access tag): ########### OUR RULES ############## # First block sites that we know we don't want anyone going to # this is simply filtering the URLs, not the page content http_access deny block_webhostURL http_access deny block_webhostDOM http_access deny block_piratesURL http_access deny block_piratesDOM http_access deny block_advertisersDOM http_access deny block_advertisersURL http_access deny block_websearchDOM http_access deny block_websearchURL http_access deny block_entertainmentDOM http_access deny block_entertainmentURL http_access deny block_anonymizersDOM http_access deny block_badlangURL http_access deny block_pornDOM http_access deny block_pornURL # PAM stuff to allow for authentication of users in "internet" group auth_param basic program /path/to/pam/file/pam_auth auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours # allows local machines to get to homepage acl our_website dst x.x.x.x #actual ip address not shown to protect the innocent acl localnet src 192.168.1.0/24 http_access allow localnet our_website # requires authentication before getting access to internet acl password proxy_auth REQUIRED http_access allow password # And finally deny all other access to this proxy http_access deny all #### END ##### So, first off we block sites based on URL with acl's that point to word lists. This works great. Then the PAM stuff is what I'm using to authenticate to the Open Directory to see if the user should be allowed onto the Internet. That works too. The next bit is where problems occur. What I want to have happen is for the machines to be allowed access to our website without having to authenticate through the proxy. With this setup, it doesn't work. It doesn't ask for authentication when I try to go to our homepage, it just times out with a generic IE or Firefox "The page cannot be displayed" error. Note that all the browsers are setup to bypass the proxy when trying to access our local web address. What I've tried though is replacing our information with New York University's info as a test: # allows local machines to get to homepage acl our_website dst 128.122.108.74 #nyu's ip address acl localnet src 192.168.1.0/24 http_access allow localnet our_website This works perfectly. When I try to go to the NYU homepage with a client-machine's browser (either typing in www.nyu.edu or the IP address) I get there without having to authenticate. Switching back to our info, I then tried to just type in our IP into the browser. Boom, I get our homepage without having to authenticate. But I still can't get our homepage to come up by typing in our web address. In addition to all of this, when I use the browser on our server (which is also pointing to the proxy but bypassing it for our local address) I get to our homepage no problem. Anyone out there have any ideas on what could be the problem? Thanks, JK
