Re: [squid-users] Fwd: config squid to set specific acl delay pools for username and then set it to the ip addr of username

From: Alex Domoradov <alex.hha_at_gmail.com>
Date: Mon, 13 May 2013 11:26:30 +0300

On Mon, May 13, 2013 at 11:18 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 13/05/2013 5:54 p.m., Alex Domoradov wrote:
>>
>> You can use acl apr, for example
>>
>> acl BIG_BOSS arp 01:02:03:04:05:06
>>
>> On Mon, May 13, 2013 at 8:11 AM, Daniyal Khorashadi Zadeh wrote:
>>>
>>> Assume your executive of corporation, sit on his clerk desk PC, and
>>> login to his username on the network (authenticate with Active
>>> Directory), of course he wants his full access to internet, but he
>>> can't because his IP address is different from what we set in squid
>>> for his PC.
>>>
>>> we authenticate users in Active Directory, and set their gateways to
>>> squid server so we have a Transparent squid. we don't want our users
>>> to be authenticate for second time in Browser...
>
>
> This makes no sense at all. It is a simple matter for the browser to send
> the already authenticated AD credentials to Squid for Squid to conform them
> with AD. It's called single-sign-on to most people familiar with MS
> products, and works with all forms of HTTP auth.
will it work with transparent mode?

> It is also a simple matter for Squid helpers to take the IP (or EUI / MAC
> address even) and verify them against AD to confirm there is a user logged
> in on that machine and retrieve the details of said user back to Squid. The
> external ACL helpers routinely do this for group checks.
>
> However, if you base the Squid security all on the IP or MAC you *always*
> run the risk of an attacker hijacking the machine or even just spoofing that
> clients IP/MAC details to bypass your Squid security controls.
>
>
>>> Somehow I want to set acl to be 'username base' and then set the delay
>>> pools and classes we define to the IP of his computer, Is there a
>>> solution to this problem?
>
>
> The only "problem" is the policy of avoiding HTTP auth, and you already know
> the answer to that one. ;-)
>
> Amos
Received on Mon May 13 2013 - 08:26:36 MDT

This archive was generated by hypermail 2.2.0 : Mon May 13 2013 - 12:00:05 MDT