> > Hi, > > I have a question. I'd like to have squid configured for the following: > > - User opens browser (with squid proxy configured) and gets redirected to > a > login page > - The browser prompts asks for a proxy username/ password. > - if the user provided a good username/password, he/she can click on an > icon > to get redirected to the original requested page. > > squid.conf (using version 2.7stable5) part: > > acl all src all > acl freesites dstdomain login.mydomain.local > acl AuthUsers proxy_auth REQUIRED > > http_access allow all > # process redirector program between http_access and > http_access2, > # result depends on the fact if a username exists. > http_access2 allow freesites > http_access2 allow AuthUsers > http_access2 deny all > > Problem is that this way the redirector program never gets any username > passed although the user is asked for a user/pass. > > This works partially (username gets passed): > > http_access allow AuthUsers > # -> process redirector program between http_access and http_access2 > http_access2 allow all > > But now I can't redirect to a nice welcome page before the > username/password > prompt... > > > Please someone help. > > Many thanks. > > Philippe >
You have a conceptual problem here. What you are attempting to do is get the browser to authenticate against the proxy by sending authentication details to a web server somewhere else. What you need instead is one of two captive portal solutions: 1) authenticate against the proxy directly, no fuss. http_access allow freesites http_access deny !AuthUsers http_access deny all 2) use an external_acl_type helper to perform side-band authentication based on IP using details gathered from the website login. external_acl_type foo ... acl AuthsUsers external foo http_access allow freesites http_access allow AuthUsers deny_info http://login.mydomain.local all http_access deny all (2) has cons in that it assumes you are able to create a working auth scheme where experts often fail. Also that every visitor has a unique IP/headers (no sharing, no NAT) and forgery is ignored. Amos
