RE: [squid-users] Reverse proxy with LDAP authentication

From: Andrew Struiksma <astruiksma_at_esd189.org>
Date: Fri, 26 Sep 2008 10:15:27 -0700

> > Here is the main part of my config:
> >
> > http_port 80 defaultsite=site.company.org https_port 443
> > cert=/etc/ssl/certs/company.org.cert \
> > key=/etc/ssl/certs/company.org.key \
> > defaultsite=site.company.org
> >
> > cache_peer site.company.org parent 443 0 no-query \
> > originserver ssl sslflags=DONT_VERIFY_PEER name=myAccel acl
> > our_sites dstdomain site.company.org acl all src 0.0.0.0/0.0.0.0
> >
> > auth_param basic program /usr/lib/squid/ldap_auth \
> > -R -b "dc=company,dc=org" -D
> > "cn=squid_user,cn=Users,dc=company,dc=org" \
> > -w "password" -f sAMAccountName=%s -h 192.168.1.2
> auth_param
> > basic children 5 auth_param basic realm Our Site auth_param basic
> > credentialsttl 5 minutes
> >
> > acl ldap_users proxy_auth REQUIRED
> >
> > http_access allow ldap_users
> > http_access allow our_sites
>
> If I understand you correctly that should be:
>
> http_access allow our_sites ldap_users
> http_access deny all
>
> > cache_peer_access myAccel allow our_sites
> >
> > Andrew
> >
>
> That config should be do it.
> Perhapse a "never_direct allow our_sites" to prevent
> non-peered traffic.

OK. I'll add in those options. Currently, if a user connects on port 80 they are not forwarded to port 443 until after logging in and actually clicking a link on the website. They then are prompted to login a second time on port 443. Can Squid redirect to port 443 immediately before login or do I need to setup Apache to do this?

Can I add in an ACL to permit users from certain IP ranges to access the site with having to authenticate to LDAP? I'm thinking about sending all users through Squid but I don't want to force users on our LAN to have to authenticate.

Thanks!

Andrew
Received on Fri Sep 26 2008 - 17:15:51 MDT

This archive was generated by hypermail 2.2.0 : Sat Sep 27 2008 - 12:00:03 MDT