Search squid archive

Re: Fwd: config squid to set specific acl delay pools for username and then set it to the ip addr of username

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 13/05/2013 8:26 p.m., Alex Domoradov wrote:

On Mon, May 13, 2013 at 11:18 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:

On 13/05/2013 5:54 p.m., Alex Domoradov wrote:

You can use acl apr, for example

acl BIG_BOSS arp 01:02:03:04:05:06

On Mon, May 13, 2013 at 8:11 AM, Daniyal Khorashadi Zadeh wrote:

Assume your executive of corporation, sit on his clerk desk PC, and
login to his username on the network (authenticate with Active
Directory), of course he wants his full access to internet, but he
can't because his IP address is different from what we set in squid
for his PC.

we authenticate users in Active Directory, and set their gateways to
squid server so we have a Transparent squid. we don't want our users
to be authenticate for second time in Browser...


This makes no sense at all. It is a simple matter for the browser to send
the already authenticated AD credentials to Squid for Squid to conform them
with AD. It's called single-sign-on to most people familiar with MS
products, and works with all forms of HTTP auth.

will it work with transparent mode?
Ah "transparent". single-sign-on *is* "transparent" authentication. Except that is not at all what you mean.
The "transparent" interception you use is only getting in the way because you are not pushing the proxy settings over, just the gateway settings. If you push *both* over to the client then all software which uses the proxy settings correctly will be able to do single-sign-on, for a transparently configured and authenticated proxy. The ones which do not will have to use interception and can be controlled with different security settings in the proxy. 




It is also a simple matter for Squid helpers to take the IP (or EUI / MAC
address even) and verify them against AD to confirm there is a user logged
in on that machine and retrieve the details of said user back to Squid. The
external ACL helpers routinely do this for group checks.

However, if you base the Squid security all on the IP or MAC you *always*
run the risk of an attacker hijacking the machine or even just spoofing that
clients IP/MAC details to bypass your Squid security controls.



Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux