different authentication for different ports

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

different authentication for different ports

Paul Hackmann
Hi all.  I've got a fairly basic squid config set up on linux.  I have basic authentication set up on it to the default 3128 port, and it works just fine.  I would like to keep this configuration.  However, I would like to set up another port that only allows a certain whitelist of websites that doesn't require or ask for authentication.  I want to set this up for certain apps that don't have proxy settings built into them.  I want windows to be able to connect to some sites, but not everything and if it can't reach the site, I don't want it to ask for credentials.  With my current configuration, it asks for credentials for any app that is trying to connect to a non-whitelisted website.  Is this configuration possible and do you have an example?  Sorry if this has been answered before, I am very green to squid yet.

Thanks,
PH

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: different authentication for different ports

Amos Jeffries
Administrator
On 21/11/17 05:02, Paul Hackmann wrote:

> Hi all.  I've got a fairly basic squid config set up on linux.  I have
> basic authentication set up on it to the default 3128 port, and it works
> just fine.  I would like to keep this configuration.  However, I would
> like to set up another port that only allows a certain whitelist of
> websites that doesn't require or ask for authentication.  I want to set
> this up for certain apps that don't have proxy settings built into
> them.  I want windows to be able to connect to some sites, but not
> everything and if it can't reach the site, I don't want it to ask for
> credentials.  With my current configuration, it asks for credentials for
> any app that is trying to connect to a non-whitelisted website.  Is this
> configuration possible and do you have an example?  Sorry if this has
> been answered before, I am very green to squid yet.

Simply place the http_access rules for handling that traffic above the
first line which requires authentication.

   http_access ... lines that dont require auth.

   acl login proxy_auth REQUIRED
   http_access deny !login

   http_access ... rules for authenticated users.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: different authentication for different ports

Paul Hackmann
Amos,

If the website that is being asked for is not in the whitelist, won't it fall through and ask for authentication?  That is how it seems to work to me.  That's why I am thinking I need 2 different ports or something to do what I want.

PH

On Mon, Nov 20, 2017 at 11:38 AM, Amos Jeffries <[hidden email]> wrote:
On 21/11/17 05:02, Paul Hackmann wrote:
Hi all.  I've got a fairly basic squid config set up on linux.  I have basic authentication set up on it to the default 3128 port, and it works just fine.  I would like to keep this configuration.  However, I would like to set up another port that only allows a certain whitelist of websites that doesn't require or ask for authentication.  I want to set this up for certain apps that don't have proxy settings built into them.  I want windows to be able to connect to some sites, but not everything and if it can't reach the site, I don't want it to ask for credentials.  With my current configuration, it asks for credentials for any app that is trying to connect to a non-whitelisted website.  Is this configuration possible and do you have an example?  Sorry if this has been answered before, I am very green to squid yet.

Simply place the http_access rules for handling that traffic above the first line which requires authentication.

  http_access ... lines that dont require auth.

  acl login proxy_auth REQUIRED
  http_access deny !login

  http_access ... rules for authenticated users.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



--
Paul Hackmann
Sims TV/Haven Electronics
121 N. Vine St.
West Union, IA. 52175
<a href="tel:(563)%20422-5751" value="+15634225751" target="_blank">563-422-5751

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: different authentication for different ports

Amos Jeffries
Administrator
On 21/11/17 06:56, Paul Hackmann wrote:
> Amos,
>
> If the website that is being asked for is not in the whitelist, won't it
> fall through and ask for authentication?  That is how it seems to work
> to me.  That's why I am thinking I need 2 different ports or something
> to do what I want.

You do need two different ports regardless of the http_access rules. One
for the forward/explicit proxy traffic and one for the intercept/tproxy
traffic. The TCP IP:port details for each of those "modes" is given in
completely different ways and the HTTP message syntax is also different
so the *cannot* be delivered to the same ports.


A whitelist generally is formed from two lines, one allowing and one
denying everything else.

If 'everything else' is defined as just the stuff arriving in one
specific port you get this:

  http_port 3128
  http_port 3129 intercept

  acl portX myportname 3129

  http_access allow portX whitelist
  http_access deny portX

  http_access deny !login
  ...

Amos


>
> PH
>
> On Mon, Nov 20, 2017 at 11:38 AM, Amos Jeffries <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 21/11/17 05:02, Paul Hackmann wrote:
>
>         Hi all.  I've got a fairly basic squid config set up on linux.
>         I have basic authentication set up on it to the default 3128
>         port, and it works just fine.  I would like to keep this
>         configuration.  However, I would like to set up another port
>         that only allows a certain whitelist of websites that doesn't
>         require or ask for authentication.  I want to set this up for
>         certain apps that don't have proxy settings built into them.  I
>         want windows to be able to connect to some sites, but not
>         everything and if it can't reach the site, I don't want it to
>         ask for credentials.  With my current configuration, it asks for
>         credentials for any app that is trying to connect to a
>         non-whitelisted website.  Is this configuration possible and do
>         you have an example?  Sorry if this has been answered before, I
>         am very green to squid yet.
>
>
>     Simply place the http_access rules for handling that traffic above
>     the first line which requires authentication.
>
>        http_access ... lines that dont require auth.
>
>        acl login proxy_auth REQUIRED
>        http_access deny !login
>
>        http_access ... rules for authenticated users.
>
>
>     Amos
>     _______________________________________________
>     squid-users mailing list
>     [hidden email]
>     <mailto:[hidden email]>
>     http://lists.squid-cache.org/listinfo/squid-users
>     <http://lists.squid-cache.org/listinfo/squid-users>
>
>
>
>
> --
> Paul Hackmann
> Sims TV/Haven Electronics
> 121 N. Vine St.
> West Union, IA. 52175
> 563-422-5751 <tel:(563)%20422-5751>
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: different authentication for different ports

Paul Hackmann
Amos,

That was exactly what I was looking for.  I tried it and it seems to work just like I wanted.  My other alternative would have been to run 2 copies of squid, but this is much cleaner from my perspective.  Thank you very much!

PH

On Mon, Nov 20, 2017 at 9:13 PM, Amos Jeffries <[hidden email]> wrote:
On 21/11/17 06:56, Paul Hackmann wrote:
Amos,

If the website that is being asked for is not in the whitelist, won't it fall through and ask for authentication?  That is how it seems to work to me.  That's why I am thinking I need 2 different ports or something to do what I want.

You do need two different ports regardless of the http_access rules. One for the forward/explicit proxy traffic and one for the intercept/tproxy traffic. The TCP IP:port details for each of those "modes" is given in completely different ways and the HTTP message syntax is also different so the *cannot* be delivered to the same ports.


A whitelist generally is formed from two lines, one allowing and one denying everything else.

If 'everything else' is defined as just the stuff arriving in one specific port you get this:

 http_port 3128
 http_port 3129 intercept

 acl portX myportname 3129

 http_access allow portX whitelist
 http_access deny portX

 http_access deny !login
 ...

Amos



PH


On Mon, Nov 20, 2017 at 11:38 AM, Amos Jeffries <[hidden email] <mailto:[hidden email]>> wrote:

    On 21/11/17 05:02, Paul Hackmann wrote:

        Hi all.  I've got a fairly basic squid config set up on linux.         I have basic authentication set up on it to the default 3128
        port, and it works just fine.  I would like to keep this
        configuration.  However, I would like to set up another port
        that only allows a certain whitelist of websites that doesn't
        require or ask for authentication.  I want to set this up for
        certain apps that don't have proxy settings built into them.  I
        want windows to be able to connect to some sites, but not
        everything and if it can't reach the site, I don't want it to
        ask for credentials.  With my current configuration, it asks for
        credentials for any app that is trying to connect to a
        non-whitelisted website.  Is this configuration possible and do
        you have an example?  Sorry if this has been answered before, I
        am very green to squid yet.


    Simply place the http_access rules for handling that traffic above
    the first line which requires authentication.

       http_access ... lines that dont require auth.

       acl login proxy_auth REQUIRED
       http_access deny !login

       http_access ... rules for authenticated users.


    Amos
    _______________________________________________
    squid-users mailing list
    [hidden email]
    <mailto:[hidden email]>
    http://lists.squid-cache.org/listinfo/squid-users
    <http://lists.squid-cache.org/listinfo/squid-users>




--
Paul Hackmann
Sims TV/Haven Electronics
121 N. Vine St.
West Union, IA. 52175
<a href="tel:563-422-5751" value="+15634225751" target="_blank">563-422-5751 <tel:(563)%20422-5751>


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users



--
Paul Hackmann
Sims TV/Haven Electronics
121 N. Vine St.
West Union, IA. 52175
563-422-5751

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users