Hi Amos,, Yet again thanks for a very complete reply! Our problem is that the upstream system is the one with all the content filtering on it, and I have started creating a whitelist for the known destinations but it is quickly going to become unmanageable. I was hoping that if a client failed to authenticate then it would be forwarded to the upstream and fall under what ever the default (un authorized) ruleset is, known risky sites etc would be getting filtered there, Jay On 4 February 2012 12:02, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 5/02/2012 12:30 a.m., Jason Fitzpatrick wrote: >> >> Morning all.. >> >> I have a requirement to have my squid servers authenticate users >> before forwarding requests to an upstream server which does content >> filtering based on the X-Forwarded headers in the requests and all >> seems to be working quite well so far, (internal traffic is routed via >> the squids without the need to authenticate) >> >> I do have one issue though, clients that are unable to authenticate >> (windows update / Java updates etc) and want to set up the system so >> that it will attempt to authenticate the user, and if the >> authentication fails the request is routed regardless >> >> Is such a thing possible? I have tried all sorts of configurations but >> the logic to the rules still escapes me! > > > This is a side case of security which seems to boggle many an admins mind. > The core of the problem is that missing credentials is only one *sub-set* of > all failed authentications. You cannot simply take "failed auth" and assume > its one of the "good" software which is failing. These days it will quite > frequently be someone malicious, possibly even forging the "good" software > user-agent header to get access. > > In particular missing credentials is a type of failure indistinguishable > from an HTTP request which has not yet even been challenged for credentials. > HTTP is stateless so there is no way to identify two clients sharing a > downstream proxy and one client re-trying without credentials. You must > hard-code that distinction for the specific cases you know of, thus all the > well published config hacks. > > Amos -- "The only difference between saints and sinners is that every saint has a past while every sinner has a future. " — Oscar Wilde