On Mon, May 13, 2013 at 11:18 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 13/05/2013 5:54 p.m., Alex Domoradov wrote: >> >> You can use acl apr, for example >> >> acl BIG_BOSS arp 01:02:03:04:05:06 >> >> On Mon, May 13, 2013 at 8:11 AM, Daniyal Khorashadi Zadeh wrote: >>> >>> Assume your executive of corporation, sit on his clerk desk PC, and >>> login to his username on the network (authenticate with Active >>> Directory), of course he wants his full access to internet, but he >>> can't because his IP address is different from what we set in squid >>> for his PC. >>> >>> we authenticate users in Active Directory, and set their gateways to >>> squid server so we have a Transparent squid. we don't want our users >>> to be authenticate for second time in Browser... > > > This makes no sense at all. It is a simple matter for the browser to send > the already authenticated AD credentials to Squid for Squid to conform them > with AD. It's called single-sign-on to most people familiar with MS > products, and works with all forms of HTTP auth. will it work with transparent mode? > It is also a simple matter for Squid helpers to take the IP (or EUI / MAC > address even) and verify them against AD to confirm there is a user logged > in on that machine and retrieve the details of said user back to Squid. The > external ACL helpers routinely do this for group checks. > > However, if you base the Squid security all on the IP or MAC you *always* > run the risk of an attacker hijacking the machine or even just spoofing that > clients IP/MAC details to bypass your Squid security controls. > > >>> Somehow I want to set acl to be 'username base' and then set the delay >>> pools and classes we define to the IP of his computer, Is there a >>> solution to this problem? > > > The only "problem" is the policy of avoiding HTTP auth, and you already know > the answer to that one. ;-) > > Amos
