>> -----Original Message----- >> From: Henrik Nordstrom [mailto:henrik@xxxxxxxxxxxxxxxxxxx] >> Sent: Friday, September 19, 2008 2:31 PM >> To: Andrew Struiksma >> Cc: 'squid-users@xxxxxxxxxxxxxxx' >> Subject: Re: Reverse proxy with LDAP authentication >> >> On fre, 2008-09-19 at 13:04 -0700, Andrew Struiksma wrote: >> > We have a company intranet server running Apache2 on Debian 4. >> > Currently it is only available on our LAN. We would like to make it >> > available outside our LAN. However, we want users to have to >> > authenticate against our Active Directory when they are coming from >> > the outside. Once they have authenticated, they should have full >> > access to the internal website. Is this something that Squid can do? >> >> Yes, with some limitations. >> >> The limitation is that there is only one authentication slot >> in HTTP, so if the web server also uses HTTP authentication >> then it needs to use the exact same authentication (basic >> authentication to the same password backend), or you need to >> set up a special authentication peering between the two (see >> the login= cache_peer option). >> > > I've setup the reverse SSL proxy on Squid 2.7 and it's almost working as > needed. I want to accept connections on both port 80 and 443 but I want > all the port 80 traffic to be redirected to 443 so that everything is > encrypted. The main reason we need everything encrypted is that we are > requiring LDAP authentication before Squid will allow access to the site. > How can I do this? > > Here is the main part of my config: > > http_port 80 defaultsite=site.company.org > https_port 443 cert=/etc/ssl/certs/company.org.cert \ > key=/etc/ssl/certs/company.org.key \ > defaultsite=site.company.org > > cache_peer site.company.org parent 443 0 no-query \ > originserver ssl sslflags=DONT_VERIFY_PEER name=myAccel > acl our_sites dstdomain site.company.org > acl all src 0.0.0.0/0.0.0.0 > > auth_param basic program /usr/lib/squid/ldap_auth \ > -R -b "dc=company,dc=org" -D > "cn=squid_user,cn=Users,dc=company,dc=org" \ > -w "password" -f sAMAccountName=%s -h 192.168.1.2 > auth_param basic children 5 > auth_param basic realm Our Site > auth_param basic credentialsttl 5 minutes > > acl ldap_users proxy_auth REQUIRED > > http_access allow ldap_users > http_access allow our_sites If I understand you correctly that should be: http_access allow our_sites ldap_users http_access deny all > cache_peer_access myAccel allow our_sites > > Andrew > That config should be do it. Perhapse a "never_direct allow our_sites" to prevent non-peered traffic. Amos
