Rodrigo Castanheira wrote:
Hi,
I wish to authenticate (NTLM) our users only once per working day:
authenticate_ip_shortcircuit_ttl 8 hours
When the user browses for the first time, he will be authenticated and his
IP will be cached so that, for the next 8 hours, Squid believes that
requests coming from this IP belong to that user. Now comes the tricky part:
if that user logs off and somebody else logs in before those 8 hours expire,
Squid would mistakenly associate the same IP with the previous identity.
This is the downside of IP-based authorization. (NOTE: this is NOT
authentication).
As
our IE browsers are pre-configured with a standard home page, and the new
user couldn't avoid opening it before being able to go elsewhere, I tried
enforcing (re)authentication for the home page:
acl HOME_PAGE url_regex -i homepage.intranet
authenticate_ip_shortcircuit_access deny HOME_PAGE
It didn't work.
Does authenticate_ip_shortcircuit_access accept only IP acl's ?
One of the benefits of NTLM is that Windows can be configured to do it
without generating the authentication popups ("single sign-on"). That is
the best way to configure what you want. If you set it up that way the
IP-based bypass does not need to be long.
The short-circuit setting is a very risky bypass to reduce load on slow
or overloaded auth servers. As you have seen, it allows people to
trivially access resources under some other persons accounts. The longer
its set to the more security risk you face.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
Current Beta Squid 3.1.0.15
