Squid, Bypass auth for list of sites

titus91360 · Sep 16, 2009, 4:27 PM

Hello World,
I'm trying to replace my actual proxy server (ipcop) by a pfsense with squid as proxy server.
My tests work great but just one configuration I don't manage to set.
My squid conf is set to use proxy in no-transparency mode with authentication on ldap.

I would like to set a list of web sites that will be accessible without authentication ?
Is it possible ? I didn't find where to set it.
Thanks

mhab12 · Sep 17, 2009, 3:17 PM

I would suspect this is possible by editing the squid.conf file. That said, I can't point you in the direction of where to start. If nobody here offers to help, I would post a bounty as a fairly simple text edit ought to take care of your problem.

titus91360 · Sep 18, 2009, 9:33 AM

So nobody to help me :-[
-> mhab12 Your help will be great for me. Could you give me an simple template to use in my squid/squidguard configuration ?

Thanks

titus91360 · Sep 23, 2009, 12:40 PM

Nobody to help me ? :'(

slochewie · Sep 23, 2009, 9:59 PM

I don't about setting that in squid but you can set it in the browser.

This is probably a question best suited for the squid forums and not necessarily the pfsense forums.
I don't know if you can switch between non-transparent to transparent modes on the fly like depending on the site like you are suggesting. I'm not sure though. And if you find a howto, I'd like to see it.

I do have a workaround of sorts. It involves having sites that don't use the proxy server thus avoiding authentication, and then all other sites use the proxy server and force authentication.
At my office every one runs Firefox and we use a mozilla.cfg file to lock the browser preferences down so people can't go into their Firefox settings and disable the proxy server. In the Firefox Proxy settings there is a text box you can specify sites not that don't use the proxy and thus don't require authentication. We use it for internal sites and a few external sites.

We first create a mozilla.txt file that consists of the following.


# Mozilla User Preferences

/* Do not edit this file.
 *
 * If you make changes to this file while the browser is running,
 * the changes will be overwritten when the browser exits.
 *
 * To make a manual change to preferences, you can visit the URL 
about:config
 * For more information, see 
http://www.mozilla.org/unix/customizing.html#prefs
 */

lockPref("config.use_system_prefs", false);
lockPref("network.proxy.http", "172.20.1.108");
lockPref("network.proxy.http_port", 3128);
lockPref("network.proxy.no_proxies_on", "localhost, 127.0.0.1, 172.20.1.0/24, 172.20.2.0/24, 172.20.5.0/24, .local, .google.com, .yahoo.com, moonshine, eclipse, nova, pulsar, blackhole");
lockPref("network.proxy.type", 1);

Then we go to http://alain.knaff.lu/howto/MozillaCustomization/cgi/byteshf.cgi and convert it to a mozilla.cfg file

We run two Solaris servers that serve up the desktops to our users. You're paths will vary.
First we put the newly created mozilla.cfg file in the directory.
/opt/sfw/lib/firefox
Then we add
pref("general.config.filename", "mozilla.cfg");
to
/opt/sfw/lib/firefox/defaults/pref/firefox.js

In theory though you can do that to Windows, Linux and Mac systems. I am extremely grateful that we use a server/thin client model cause I only have to set this up on two servers. If I worked in an old school office where everyone had their own Windows PC and I had to do that for 50 different computers I would go insane….. I guess you could have all the Windows machines controlled by Primary Domain Controller or something so you wouldn't have to manually do that on multiple Windows machines. It's been so long since I've worked with Microsoft products I can only vaguely recall what's possible...

Another variation is to instead use a PAC file. You lock all the browsers down to use a PAC file hosted on an Internal website. The advantage is you can easily modify the allowed sites in the pac file versus modifying a mozilla.txt converting it to a mozilla.cfg file and then uploading the newly created mozilla.cfg file to all your computers and overwriting the old mozilla.cfg file.

I think all browsers can use a PAC file.

Another option is to set the OS itself to always use a proxy. And then you could just lock the browser down to always autodetect proxy/use the system proxy.

titus91360 · Sep 24, 2009, 2:37 PM

Your solution (don't use proxy) could only work if your default gateway have an access to the Internet.
In our configuration, the default gateway don't have an access to the Internet, it only in use for routing traffic between different VLANs.
But thanks for your reply.

titus91360 · Sep 28, 2009, 12:15 PM

After a big search on different topic, I manage to do what I want.
For someone who are interesting on my problem, here is the solution (sorry for my poor english ^^)
I create a unauth_sites.acl into /var/squid/acl with the list of sites (ie: .pfsense.org .google.com one site per line)
I modify the squid.inc like this

acl unauth_sites dstdomain "/var/squid/acl/unauth_sites.acl"

http_access allow unauth_sites

Relaunch squid services and it's ok ;)