Hi Amos, Thanks very very much for your help. I'm not really trying to authenticate to an external web site, only Squid is involved. What I'm trying to do is: 1 http_access allow all # redirector program 2 http_access2 allow freesites 3 http_access2 allow AuthUsers 4 http_access2 deny all - User opens browser. (no auth yet) - Homepage tries to load, redirector sees no username => redirect to welcome page (+ link to google), allowed by acl 2 - User clicks on the external link => not in acl 2, but allowed by acl 3 => Squid asks for auth - User enters user+pass in browser (proxy-auth), validated by Squid. Squid has now a valid username and password. So far, so good. This all works fine. - now every next page should pass the redirector as this Problem: Due to acl 1, Squid doesn't pass a username to the rewriter program and even after a succesfull auth, the redirector keeps redirecting to the welcome page due to the missing username. If I put acl 3 before the redirector, Squid nicely sends the username with the requested url. Can this be resolved? Kind regards, Philippe -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Monday, April 27, 2009 02:58 To: Philippe Boeij Cc: squid-users@xxxxxxxxxxxxxxx Subject: Re: redirecting unauthenticated users > > Hi, > > I have a question. I'd like to have squid configured for the following: > > - User opens browser (with squid proxy configured) and gets redirected > to a login page > - The browser prompts asks for a proxy username/ password. > - if the user provided a good username/password, he/she can click on > an icon to get redirected to the original requested page. > > squid.conf (using version 2.7stable5) part: > > acl all src all > acl freesites dstdomain login.mydomain.local > acl AuthUsers proxy_auth REQUIRED > > http_access allow all > # process redirector program between http_access and > http_access2, > # result depends on the fact if a username exists. > http_access2 allow freesites > http_access2 allow AuthUsers > http_access2 deny all > > Problem is that this way the redirector program never gets any > username passed although the user is asked for a user/pass. > > This works partially (username gets passed): > > http_access allow AuthUsers > # -> process redirector program between http_access and http_access2 > http_access2 allow all > > But now I can't redirect to a nice welcome page before the > username/password prompt... > > > Please someone help. > > Many thanks. > > Philippe > You have a conceptual problem here. What you are attempting to do is get the browser to authenticate against the proxy by sending authentication details to a web server somewhere else. What you need instead is one of two captive portal solutions: 1) authenticate against the proxy directly, no fuss. http_access allow freesites http_access deny !AuthUsers http_access deny all 2) use an external_acl_type helper to perform side-band authentication based on IP using details gathered from the website login. external_acl_type foo ... acl AuthsUsers external foo http_access allow freesites http_access allow AuthUsers deny_info http://login.mydomain.local all http_access deny all (2) has cons in that it assumes you are able to create a working auth scheme where experts often fail. Also that every visitor has a unique IP/headers (no sharing, no NAT) and forgery is ignored. Amos
