Re: [squid-users] Reverse proxy with LDAP authentication

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 01 Oct 2008 13:41:19 +1300

Andrew Struiksma wrote:
>> At the top of the config after "http_port 80" add these:
>>
>> acl port80 myport 80
>> deny_info https://site.company.org port80
>> http_access deny port80
>>
>> That will cause squid itself to send a 3xx moved fake 'error'
>> message to all port 80 requests. The users browser will then
>> automatically re-connect to port 443 before being asked to login.
>>
>> NP: for anyone else trying to copy this: it only works on one
>> domain name at a time. Needs adjustment for virtual-hosted setups.
>>
>>> Can I add in an ACL to permit users from certain IP ranges
>> to access the site with having to authenticate to LDAP? I'm
>> thinking about sending all users through Squid but I don't
>> want to force users on our LAN to have to authenticate.
>> Yes. Just chain the acl names properly. An http_access allow
>> line before one that requires auth should do it.
>>
>
> Thanks for your help! This is my new config that seems to be working fine:
>
> ---------------------
> http_port 80 defaultsite=mysite.company.org
> https_port 443 cert=/etc/ssl/certs/company.cert key=/etc/ssl/certs/company.key defaultsite=mysite.company.org
>
> #redirects all http traffic to https
> acl port80 myport 80
> deny_info https://mysite.company.org port80
> http_access deny port80
>
> cache_peer mysite.company.org parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=myAccel
> acl our_sites dstdomain mysite.company.org
> acl all src 0.0.0.0/0.0.0.0
>
> auth_param basic program /usr/lib/squid/ldap_auth -R -b "dc=company,dc=org" -D "cn=squid_user,cn=Users,dc=company,dc=org" -w "password" -f sAMAccountName=%s -h 192.168.1.2
> auth_param basic children 2
> auth_param basic realm Our Website
> auth_param basic credentialsttl 2 hours
>
> #these networks can access mysite without authenticating
> acl trusted_nets src 10.2.1.0/24
> acl trusted_nets src 192.168.1.0/24
>
> acl ldap_users proxy_auth REQUIRED
>
> http_access allow trusted_nets our_sites
> http_access allow ldap_users our_sites
>
> cache_peer_access myAccel allow our_sites
> cache_peer_access myAccel deny all
>
> never_direct allow our_sites
> ---------------------
>
> You mentioned supporting multiple hosts. Is it relatively easy for a squid reverse proxy to provide access to several internal servers (I.e. mysite.company.org, mysite2.company.org, etc)?
>

Yes. very.

Just add 'vhost' option to http_port.
And list each domain in the our_sites ACL.

For multiple internal web servers, a peer line is needed for each. With
a small re-arrangement of ACL to route domains to the right one(s).

Amos

-- 
Please use Squid 2.7.STABLE4 or 3.0.STABLE9
Received on Wed Oct 01 2008 - 00:41:34 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 01 2008 - 12:00:03 MDT