Markus.Rietzler_at_rzf.fin-nrw.de wrote:
> hello,
>
> we use so called "tunnel sites" with our proxy configuration. that means, we have two types of users: 1) user with (full) internet access, 2) users which only allowed to access certain websites. for this we have setup an acl which lists domains that are free to access
>
> dstdomain .some.site
> dstdomain .free.site
> dstdomain .foo.com
>
> the problem comes up, when these sites include stuff from other sites. most of the time ads, statitics. etc. so we have not only have to list the sites but also list "all" other sites. eg.
>
> dstdomain .some.site
> dstdomain .ad.server
> dstdomain analytics.google.com
> dstdomain .ivwbox.de
>
> this is quite annoying. both for us but also for our users. we use ntlm auth. when they access those "tunnel" sites it happens that the (basic ntlm) auth dialog coming up, as the user was authenticated but not allowed to access internet, so squid asks for a user/password which has internet access.
>
See http://www.squid-cache.org/mail-archive/squid-users/200305/1106.html
for an explanation of what's happening and a solution.
It's alluded to in the authentication section of the Wiki
(http://wiki.squid-cache.org/SquidFaq/ProxyAuthentication#head-ca6c847dd2974a610ef8f6a0e44319cb325f92b4),
but could probably be more prominent.
> is there any chance to change this? when an ad banner is included from another site, squid can't really know that this is a "good" ad because it comes from a free tunnel website.
>
> there is a authenticate_ttl which "caches" successfull authentications. is there a way to have also not successfull authentications to be cached/rememebered for a certain time? eg. ask for authentication, user hits cancel and squid won't ask for another authentication for the next hour or so...
>
> is there any other way to solve this problem?
>
> --
> mit freundlichen Grüßen
>
> Markus Rietzler - <rietzler_software/>
> Rechenzentrum der Finanzverwaltung NRW
>
Chris
Received on Wed Aug 13 2008 - 21:13:00 MDT
This archive was generated by hypermail 2.2.0 : Thu Aug 14 2008 - 12:00:03 MDT