Re: [squid-users] Re: Authentication with a Transparent Proxy

From: Xander D Harkness <xander@dont-contact.us>
Date: Wed, 31 Mar 2004 19:52:00 +0100

Alan Hicks wrote:

>
>
>>I'm looking at installing free wireless internet access for the public
>>to use in the downtown Macon GA area.
>>
>>
>>The plan is to high-jack port 80 with a transparent proxy server
>>and serve up a default web page
>>
>>
>>Basically I want the users to only se this web page until they
>>authenticate somehow
>>
>>
>
>This isn't possible with Squid. This question has been asked (and answered)
>many times, and is in the FAQ.
>
>
I think you could come up with a compromise.

If you set up squid to request authentication and have the failure for
authentication provide the single web homepage that you want as an error.

So you could do the following:

#This will allow advertising and site setup explanations
acl configsite dstdomain .macon-ga.com

#This is my authentication acl
acl password proxy_auth REQUIRED

#This will provide my default deny page
acl mydeny dst 0.0.0.0

#This is the direct to my page for unauthenticated users
deny_info ERR_CONFIG mydeny

http_access allow configsite
http_access allow password
http_access deny mydeny
#Just for paranoia
http_access deny all

You then save a copy of your default webpage to
/etc/squid/errors/ERR_CONFIG

Squid does not do auth and transparent proxying as said, this is in the
FAQ. So I would set iptables to redirect all outbound port 80 traffic
to your website so that is the only place they will go. Set up WPAD on
the local network, which works for konqueror and I.E. and provide proxy
instructions for Mozilla users. WPAD will redirect the browser to use
your proxy which will then happily work with authentication.

Obviously there needs to be a load more in the config file - the stuff
to get authentication working against whatever you are using.

Kind regards
Xander
Received on Wed Mar 31 2004 - 11:52:12 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:03 MST