Well, Couple of questions: How is separation done between the two proxies Why is it required that every faculty member has its own login on the proxy Is every user part of a domain of some sort How do you intend to enforce that the first logon with a specific account is the one that is actually done by a faculty member Is the same logon used elsewhere Do facutly members have the same subnet as students Kind regards/met vriendelijke groet, Serge Fonville http://www.sergefonville.nl Convince Google!! They need to add GAL support on Android (star to agree) http://code.google.com/p/android/issues/detail?id=4602 2011/9/3 rex_ray . <rex_ray@xxxxxxxx>: > Hi, > Thanks again for your reply. Am in charge of a University > Network providing internet access to students & faculties. Faculty > users have their separate proxy without any content filtering. > Students some how get their password and use it to download and surf > porn thereby slowing the whole internet down(current setup allows > multiple logins). Also they share these passwords with their friends. > I inherited this setup from my predecessor in the middle of this > month. I wanted to limit the login from a single ip only and if that > user closes his browser tries to login from another ip he should be > able to login. Thats why I asked the questions. > > > > > On Sat, Sep 3, 2011 at 6:09 PM, Serge Fonville <serge.fonville@xxxxxxxxx> wrote: >> Hi, >> >> HTTP does not support any logout feature. >> >> 'Normally' sessions expire. >> Which is where the authenticate_ip_ttl is for. >> >> The only alternatives I can think of is build some wrapping utility >> arround your browser (on all clients) or use SSO so when a session >> invalidates it automatically revalidates. >> With the latter you can set your TTL a lot lower. >> >> But it will require some additional testing to check if this does not >> decrease the browsing experience. >> >> For a better answer, please add information as to your actual goal >> (the bigger picture) and what 'problem' are you trying to solve that >> requires only one session per user. >> >> HTH >> >> Kind regards/met vriendelijke groet, >> Serge Fonville >> http://www.sergefonville.nl >> >> Convince Google!! >> They need to add GAL support on Android (star to agree) >> http://code.google.com/p/android/issues/detail?id=4602 >> >> >> >> 2011/9/3 rex_ray . <rex_ray@xxxxxxxx>: >>> Hi, >>> Thanks for your help. But am newbie when it comes to Squid. >>> So could you please enlighten me on the following, >>> >>>> But there is no logout >>>> So there is no way for squid to invalidate the session. >>> >>> Is it possible to have a logout procedure in Squid? >>> >>> >>> On Sat, Sep 3, 2011 at 5:54 PM, Serge Fonville <serge.fonville@xxxxxxxxx> wrote: >>>> HI, >>>> From what I understand... >>>> You have a login procedure for your browser. >>>> But there is no logout >>>> So there is no way for squid to invalidate the session. >>>> Kind regards/met vriendelijke groet, >>>> Serge Fonville >>>> http://www.sergefonville.nl >>>> >>>> Convince Google!! >>>> They need to add GAL support on Android (star to agree) >>>> http://code.google.com/p/android/issues/detail?id=4602 >>>> >>>> >>>> 2011/9/3 rex_ray . <rex_ray@xxxxxxxx> >>>>> >>>>> I have the following doubt(or requirement) regarding Squid Proxy >>>>> Authentication. >>>>> >>>>> 1. User should be able to browse from a single ip only i.e no >>>>> concurrent logins. (Achieved this with the help >>>>> of 'authenticate_ip_ttl' & 'max_user_ip' directives) >>>>> >>>>> 2. If that user closes his browser, he should be able to authenticate >>>>> from a new ip or system. (I only get a 'Access Denied' >>>>> message when attempting login from a new machine or ip which I guess >>>>> results from the 'authenticate_ip_ttl' directive) >>>>> >>>>> Can somebody point what am doing wrong here. Advance thanks for your >>>>> help. >>>>> >>>>> My 'squid.conf' authentication related parameters are as given below, >>>>> >>>>> auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b >>>>> "dc=example,dc=com" -D "cn=Manager,dc=example,dc=com" -w >>>>> "ldapadminpass" -f "uid=%s" -h ldap.server >>>>> auth_param basic children 5 >>>>> auth_param basic realm Squid proxy-caching web server >>>>> auth_param basic credentialsttl 2 hours >>>>> authenticate_ip_ttl 2 hours >>>>> acl ip_limit max_user_ip -s 1 >>>>> acl ldapauth proxy_auth REQUIRED >>>>> http_access deny ip_limit >>>>> http_access allow ldapauth >>>>> http_access deny all >>>> >>>> >>> >> >
