On 11/10/22 18:31, Ole Craig wrote:
I would like to configure Squid with a set of allow-listed domains such
that unauthenticated CONNECTs to sites within those domains succeed,
_unless_ the following conditions are met:
* if a client preemptively sends a Proxy-Authenticate header anyway,
without first receiving a 407
FYI this requirement (taken by itself) would break HTTP authentication.
There are many ways for a client to learn that authentication is
required, some of them are out-of-band and cannot be known by the proxy.
* _and_ that header is invalid (bad username/password, unsupported
authN method, &c),
... this requirement makes the first requirement irrelevant. Invalid
credentials are *always* supposed to be rejected with 4xx regardless of
whether the client has been seen before or not.
Just use the normal recommended authentication access check(s):
# the usual security protections...
http_access deny CONNECT !SSL_Ports
# require valid credentials
acl auth proxy_auth REQUIRED
http_access deny !auth
acl whitelist dstdomain ...
http_access allow CONNECT whitelist
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
