Re: [squid-users] Trying to authenticate a user only once per working day

From: Rodrigo Castanheira <castanheira_at_uol.com.br>
Date: Sun, 20 Dec 2009 15:28:28 -0200

Ok, but is there any way to make authenticate_ip_shortcircuit_access work
with an URL based acl ?

----- Original Message -----
From: "Amos Jeffries" <squid3_at_treenet.co.nz>
To: <squid-users_at_squid-cache.org>
Sent: Sunday, December 20, 2009 8:41 AM
Subject: Re: [squid-users] Trying to authenticate a user only once per
working day

> Rodrigo Castanheira wrote:
>> Hi,
>>
>> I wish to authenticate (NTLM) our users only once per working day:
>>
>> authenticate_ip_shortcircuit_ttl 8 hours
>>
>> When the user browses for the first time, he will be authenticated and
>> his IP will be cached so that, for the next 8 hours, Squid believes that
>> requests coming from this IP belong to that user. Now comes the tricky
>> part: if that user logs off and somebody else logs in before those 8
>> hours expire, Squid would mistakenly associate the same IP with the
>> previous identity.
>
> This is the downside of IP-based authorization. (NOTE: this is NOT
> authentication).
>
>> As our IE browsers are pre-configured with a standard home page, and the
>> new user couldn't avoid opening it before being able to go elsewhere, I
>> tried enforcing (re)authentication for the home page:
>>
>> acl HOME_PAGE url_regex -i homepage.intranet
>> authenticate_ip_shortcircuit_access deny HOME_PAGE
>>
>> It didn't work.
>> Does authenticate_ip_shortcircuit_access accept only IP acl's ?
>>
>
> One of the benefits of NTLM is that Windows can be configured to do it
> without generating the authentication popups ("single sign-on"). That is
> the best way to configure what you want. If you set it up that way the
> IP-based bypass does not need to be long.
>
> The short-circuit setting is a very risky bypass to reduce load on slow or
> overloaded auth servers. As you have seen, it allows people to trivially
> access resources under some other persons accounts. The longer its set to
> the more security risk you face.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
> Current Beta Squid 3.1.0.15
Received on Sun Dec 20 2009 - 17:28:47 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 21 2009 - 12:00:02 MST