Re: [squid-users] Fwd: config squid to set specific acl delay pools for username and then set it to the ip addr of username

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 13 May 2013 20:18:05 +1200

On 13/05/2013 5:54 p.m., Alex Domoradov wrote:
> You can use acl apr, for example
>
> acl BIG_BOSS arp 01:02:03:04:05:06
>
> On Mon, May 13, 2013 at 8:11 AM, Daniyal Khorashadi Zadeh wrote:
>> Assume your executive of corporation, sit on his clerk desk PC, and
>> login to his username on the network (authenticate with Active
>> Directory), of course he wants his full access to internet, but he
>> can't because his IP address is different from what we set in squid
>> for his PC.
>>
>> we authenticate users in Active Directory, and set their gateways to
>> squid server so we have a Transparent squid. we don't want our users
>> to be authenticate for second time in Browser...

This makes no sense at all. It is a simple matter for the browser to
send the already authenticated AD credentials to Squid for Squid to
conform them with AD. It's called single-sign-on to most people familiar
with MS products, and works with all forms of HTTP auth.

It is also a simple matter for Squid helpers to take the IP (or EUI /
MAC address even) and verify them against AD to confirm there is a user
logged in on that machine and retrieve the details of said user back to
Squid. The external ACL helpers routinely do this for group checks.

However, if you base the Squid security all on the IP or MAC you
*always* run the risk of an attacker hijacking the machine or even just
spoofing that clients IP/MAC details to bypass your Squid security controls.

>> Somehow I want to set acl to be 'username base' and then set the delay
>> pools and classes we define to the IP of his computer, Is there a
>> solution to this problem?

The only "problem" is the policy of avoiding HTTP auth, and you already
know the answer to that one. ;-)

Amos
Received on Mon May 13 2013 - 08:18:11 MDT

This archive was generated by hypermail 2.2.0 : Mon May 13 2013 - 12:00:05 MDT