On Mon, Oct 22, 2007 at 11:44:17AM +0200, Alexandre Mackow wrote: > Squid is running and perfectly works with an authentification > based on AD (Ntlm) .. > So for my users who are not fully authorized, i create an acl > "acl sites_ok url_regex "/etc/squid/sitesok.list" > http_access allow sites_ok" > > With 3 sites for evrybody.... > The probleme that when a user is not autorized with ntlm and go to > a page authorized with url_regex, when a link is present on the > page (I think), an authentification windows open ...and the user > have to click to pass the message..... When a browser accesses a site, it will download all resources required to display it. The main ones to look for are style sheets, scripts, and embedded images and other types of media. You might find the "Firebug" extension for Firefox is useful for identifying all the things your browser is accessing in order to render a page. You will need to permit unauthenticated access to every resource on the page(s) you want to allow access to in order for a user to be able to browse it without being prompted to authenticate. Note that it's perfectly legitimate for some of the resources used by a page to be located on a different server, and even a completely unrelated domain. A good example is advertising scripts, which typically live on an adhost's servers (e.g. doubleclick.net). It's also possible that the browser is "pre-fetching" pages linked to by the site, by following normal hyperlinks. Most browsers don't do this "out of the box" though, only with the help of "internet accelerator" type software. So while this is posible, the most likely cause of the authentication popup is that the sites you're allowing access to include references to media or scripts located on other servers which you aren't allowing access to. AFAIK, there's no way in squid to tell it to allow a site and "everything on it". If working out what external resources the site requires and permitting access to them is not an option (e.g. it's outside of your control or changes frequently), you might be able to use the "Referer" header from the client's request in an ACL -- but if you can, you make it possible for anyone who's clever to access any site without authenticating (the client can send whatever Referer header it wants), which may be unacceptable. A completely different option could be to use a tool to create a local "mirror" of the site(s) you want to allow access to. Such a tool would pull in all resources required to render the page and store them on a local server. It would also rewrite the original page to reference the local copies. Then you just need to permit unauthenticated users access to your local mirror.
