Re: [squid-users] Squid billboard

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 19 Oct 2010 21:09:26 +0000

On Tue, 19 Oct 2010 09:07:26 -0400, "Jim Moseby"
<JMoseby_at_elasticfabrics.com> wrote:
>>>> On 10/18/2010 at 5:33 PM, in message
>> On Mon, 18 Oct 2010 11:26:21 -0400, "Jim Moseby"
>> <JMoseby_at_elasticfabrics.com> wrote:
>>> I'm setting up squid, and I have auth working against Novell NDS. I'd
>>> like to be able to have users authenticate via a form on a page that
>>> displays our usage policy, etc rather than the simple
username/password
>> box
>>> that currently pops up. Is this do-able? Any hints?
>>>
>>> jm
> <2f3b80e3d0fb7e45ebb239aa47891ff1_at_mail.treenet.co.nz>, Amos Jeffries
> <squid3_at_treenet.co.nz> wrote:
>>
>> This is better known as splash pages in captive portals.
>>
>> Squid will happily send a custom error page along with the auth
>> challenge.
>> The way browsers work these days prevents the page being displayed
unless
>> the auth popup fails. To get real auth the easy way is to create a
>> two-step
>> process with the AUP page available without auth. Then the acceptance
>> link
>> going to a place with auth challenge.
>>
>> Amos
>
> Thanks for that information.
>
> A little more information on how I have this going.
>
> All XP Pro workstations. Novell servers.
>
> In the Novell login script, I check NDS to see if the user is in an
> 'AllowInternet' group. If so, I set the workstations' registry entries
for
> the proxy server, and to hide the 'Connections' tab so the user can't
find
> an obvious way to change them back. (Even if they do, outgoing http/s
is
> blocked at the firewall :)
>
> Currently, when the user opens his web browser, he is immediately
> presented with the auth challenge from squid.
>
> For your scenario to work, the only way I can think of to make it happen
> is to force the users 'home page' to a non-auth page on a local web
server
> in each user's subnet, and to set 'Bypass proxy server for local
addresses'
> in the proxy settings.
>
> Am I on the right track?

Thats one way.

Or, the basic portal splash:
http://wiki.squid-cache.org/ConfigExamples/Portal/Splash

The important thing with the usual setup is that requests to the splash
page and its resources are allowed without auth. The ACL inside Squid can
be quite strict and force them out to a specific cache_peer if you desire
that level of control.

Amos
Received on Tue Oct 19 2010 - 21:09:31 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 20 2010 - 12:00:03 MDT