Hello fellow Squid users,
we use Squid 3.5 at my company and we want to give access to all sites
to authenticated users. If a user is not authenticated we need to allow
only HTTP/S requests that present a referer header matching a regex. Is
this even possible?
I have tried a combination of proxy_auth and referer_regex ACLs with no
results. sslbump is working.
This is a snippet from my conf:
# example regex to be substituted by a regex list
acl myreferer referer_regex -i ^https://www.example.com/
acl password proxy_auth REQUIRED
acl all src
acl manager proto cache_object
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow CONNECT
http_access allow myreferer
http_access allow password
http_access deny all
Using this configuration the requests are correctly filtered based on
regex, but the proxy does not ask for auth credentials when the regex is
not matched. If I put "http_access allow password" above "http_access
allow CONNECT" like this:
[...]
http_access deny CONNECT !SSL_ports
http_access allow password
http_access allow CONNECT
[...]
the proxy asks for auth for each request not matching the referer regex
and the anonymous users are bothered.
I have read the docs but i have not found an answer. Please, help me.
Thank you for your kindness,
--
Matteo Savatteri
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
