Search squid archive

Re: Forceful Reauthentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 13/11/2014 8:27 a.m., santosh wrote:
> Hello Team,
> 
> I'm trying to reauthenticate the user once he visits google as per
> this url https://workaround.org/squid-acls but it doesnt seem to
> reprompt the credentials when i access google  , below are my rules
> let me know where i'm going wrong


The Tutorial is flat wrong.

> 
> 
> # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS 
> #
> 
> #conatins acl to block sites acl bad_url url_regex
> "/etc/squid3/badsites.conf"
> 
> auth_param basic program /usr/lib/squid3/squid_ldap_auth -b 
> "dc=example,dc=com" -f "uid=%s" -h example.com acl ldapauth
> proxy_auth REQUIRED acl reauth dstdomain .google.co.in http_access
> deny bad_url http_access allow ldapauth

The above line says that if they authenticate they are in. No matter what.

The following line will never be tested.

> http_access deny  reauth ldapauth http_access deny all
> 


Lets go back to the Squid FAQ, which that tutorial apparently was
trying to re-write ...

<wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F>

It lists a particular sequence of ACL tests:
1. http_access deny google !google_users
2. http_access allow my_auth
3. http_access deny all


line 1 tests for google and requires authentication challenge if they
are a) un-authenticated, or b) using "wrong" user accounts.

line 2 checks authentication and allows anyone who can login with
*any* credentials. Unauthenticated users will be challenged.

line 3 rejects anyone who cannot login at all.

   Order Is Important.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUZDX1AAoJELJo5wb/XPRj9bAIAJqPgkB+jhvuKL/gj/q07Crk
mZTUuOLPep4E0/+ahGxV1xyEt3w1iAOysTa8vf8DEaJ40zHr+nRt9Oi6MGK39SNN
tURRSrDLtRkn4OtSWE0Yw9yKf4l1FJfZswAqZxh8HruF6Apr6bc3GZSya2x0qcbF
CKXTt7C7pyy/FeKdkfju3jp8spazTmpBcx/Ib6F4GIBoQXhqALh3ZluzbmV+ws4l
LzNDZ4AcPUrF41aBwkZkyvYXyAHzCmkJPBCkDNqUu37msmNye2IrA5poNWrEKWyp
6jSVvYehPLFqU3DMVhGja+blJ3GA6FYuHurR3+0kwIudGvw32c6EVZWDUyOmaug=
=waRG
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux