Search squid archive

Re: Reverse proxy with LDAP authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Andrew Struiksma wrote:
Here is the main part of my config:

http_port 80 defaultsite=site.company.org https_port 443
cert=/etc/ssl/certs/company.org.cert \
        key=/etc/ssl/certs/company.org.key \
        defaultsite=site.company.org

cache_peer site.company.org parent 443 0 no-query \
        originserver ssl sslflags=DONT_VERIFY_PEER name=myAccel acl
our_sites dstdomain site.company.org acl all src 0.0.0.0/0.0.0.0

auth_param basic program /usr/lib/squid/ldap_auth \
        -R -b "dc=company,dc=org" -D
"cn=squid_user,cn=Users,dc=company,dc=org" \
        -w "password" -f sAMAccountName=%s -h 192.168.1.2
auth_param
basic children 5 auth_param basic realm Our Site auth_param basic
credentialsttl 5 minutes

acl ldap_users proxy_auth REQUIRED

http_access allow ldap_users
http_access allow our_sites
If I understand you correctly that should be:

 http_access allow our_sites ldap_users
 http_access deny all

cache_peer_access myAccel allow our_sites

Andrew

That config should be do it.
Perhapse a "never_direct allow our_sites" to prevent
non-peered traffic.

OK. I'll add in those options. Currently, if a user connects on port 80 they are not forwarded to port 443 until after logging in and actually clicking a link on the website. They then are prompted to login a second time on port 443. Can Squid redirect to port 443 immediately before login or do I need to setup Apache to do this?

Ah, now it sounds like you believe or need one thing and your config is doing yet another.

Fortunately they are easy to do:

At the top of the config after "http_port 80" add these:

  acl port80 myport 80
  deny_info https://site.company.org port80
  http_access deny port80

That will cause squid itself to send a 3xx moved fake 'error' message to all port 80 requests. The users browser will then automatically re-connect to port 443 before being asked to login.

NP: for anyone else trying to copy this: it only works on one domain name at a time. Needs adjustment for virtual-hosted setups.


Can I add in an ACL to permit users from certain IP ranges to access the site with having to authenticate to LDAP? I'm thinking about sending all users through Squid but I don't want to force users on our LAN to have to authenticate.


Yes. Just chain the acl names properly. An http_access allow line before one that requires auth should do it.

http_access are checked top-down and first to match causes allow/deny.
They can be thought of as a boolean expression:
 http_access allow/deny if a AND b AND c AND d
 OR
 http_access allow/deny if a AND b AND !d   (! being NOT)


Amos
--
Please use Squid 2.7.STABLE4 or 3.0.STABLE9

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux