Markus.Rietzler@xxxxxxxxxxxxxx wrote:
hello,
we use so called "tunnel sites" with our proxy configuration. that means, we have two types of users: 1) user with (full) internet access, 2) users which only allowed to access certain websites. for this we have setup an acl which lists domains that are free to access
dstdomain .some.site
dstdomain .free.site
dstdomain .foo.com
the problem comes up, when these sites include stuff from other sites. most of the time ads, statitics. etc. so we have not only have to list the sites but also list "all" other sites. eg.
dstdomain .some.site
dstdomain .ad.server
dstdomain analytics.google.com
dstdomain .ivwbox.de
this is quite annoying. both for us but also for our users. we use ntlm auth. when they access those "tunnel" sites it happens that the (basic ntlm) auth dialog coming up, as the user was authenticated but not allowed to access internet, so squid asks for a user/password which has internet access.
See http://www.squid-cache.org/mail-archive/squid-users/200305/1106.html
for an explanation of what's happening and a solution.
It's alluded to in the authentication section of the Wiki
(http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication#head-ca6c847dd2974a610ef8f6a0e44319cb325f92b4),
but could probably be more prominent.
is there any chance to change this? when an ad banner is included from another site, squid can't really know that this is a "good" ad because it comes from a free tunnel website.
there is a authenticate_ttl which "caches" successfull authentications. is there a way to have also not successfull authentications to be cached/rememebered for a certain time? eg. ask for authentication, user hits cancel and squid won't ask for another authentication for the next hour or so...
is there any other way to solve this problem?
--
mit freundlichen Grüßen
Markus Rietzler - <rietzler_software/>
Rechenzentrum der Finanzverwaltung NRW
Chris