Thanks for the reply.
I monitored the data between dansguardian and squid and there is
basically nothing there. Dansguardian seems to only pass on the URL in
its default config - and strips out everything else, including the
User-Agent header.
I had a read and found that I can turn on the X-Forwarded-For headers in
DansGuardian with the following two lines
forwardedfor = on
usexforwardedfor = on
I was then able to see the client's IP in the TCP stream between
DansGuardian and Squid.
Then, in squid.conf, I added the following two lines (I suspect that the
second one is not needed)
follow_x_forwarded_for allow localhost
acl_uses_indirect_client on
And then all ACL queries used the original client address, rather than
the DansGuardian proxy address. This made all my rules work (and has
enabled a few other things, such as logging in Squid that tells me the
client's IP address correctly).
So, all is working now. Thank you for pointing me at the HTTP headers,
it was exactly where I needed to look.
Thanks
GC
On 21/06/2015 10:35 PM, Amos Jeffries wrote:
On 22/06/2015 12:24 a.m., Graham wrote:
I am looking for a way to configure Squid to ask for (and check)
authentication using LDAP, but to proceed if there is no auth
information provided.
Not possible. The process of asking for auth sends a reply to the client
request. Once that happens there is nothing further possible.
You can check for auth and continue if its missing, but when doing so
cannot ask the client to send any credentials. A secure client will not
send credentials unless asked...
I have been using DansGuardian for a while with Squid authenticating and
then getting DansGuardian to filter based on the username that Squid has
authenticated. The browsers talk directly to DansGuardian, which talks
to Squid, which does the work over the 'net.
I am now trying to add an android device - which has some apps that
don't ask the user for a login/password (although they do talk to the
proxy) and therefore they fail to connect with a 407 error. I have
modified DansGuardian to allow just this one IP to work without
authentication, but Squid requires the auth and denies the requests. If
I make Squid more permissive (remove the auth config) then DansGuardian
works with that IP address, but will then block all other IP addresses
as Squid hasn't authenticated anyone. Note that I can't do IP
authentication from Squid because all requests come from the
DansGuardian IP (which happens to be localhost) and it can't tell which
ones to authenticate and which to allow.
You should be able to use something like the User-Agent header
("browser" regex ACL type) to bypass the auth requirement on a
per-request basis. This has to be done for many Java applications, for
example.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
