Squid config question

klajosh2

Hi,
probably this is related more to squid config and not pfsense but maybe the experts here can answer my question.

I would like to do the following:

I want to authenticate my users against squid. This works fine with winbind.  (so usernames are logged) Thanks to pf2ad extension!
But I also want to allow access to squid proxy (an so the browsing on internet) without authentication?
Is there a way to solve this problem? So if a browser can send auth requests then send it I will accept it, but if browser
cannot send username/password or sends wrong username/password proxy should accept it also.

Thanks,

klajosh

chris4916

I don't think this could work. I even don't understand what would be (don't take it the wrong way please) the logic behind this.

If you configure proxy to prompt for authentication, goal is to identify users.
What would be the purpose if you say:

• please authenticate but if you can't it doesn't matter because I'm conformable with non-authenticated accesses and, BTW, I won't use it for any purpose as I only get half of the access "trusted"

Form proxy standpoint, authentication means to send back HTTP 407 to browser in order to prompt user for authentication and this until valid credential is provided.
The best you could do, IMHO, is to create something like "guest/guest" account and tell everyone that such account exists and can be used.

This aside, I suspect that behind your question there is a real need but you don't express this need and instead, describe solution to unknown need, thus this is quite difficult to discuss about alternative solution  ;)

klajosh2

Thanks for your answer.
The situation:

in the company there is a Microsoft AD based domain environment but they have wifi also and they allow their users to use their
cell phones to connect to the wifi network and there are traveling agents also whose computers are not domain member.
So the problem what needs to be solved:

• using squid to monitor the internet browsing usage
• where possible (machine/user is domain member) log the username also (some users are working in shift using the same domain machine)
• in all other cases log only ip (cell phones, travel agents)
• do not bring up authentication window in browser when accessing to the internet be as transparent as possible.

I see fake authentication "plugins" in squid what are present in pfSense also but I was not able to configure it in pfSense.

chris4916

Much clearer.
This can definitely be achieved, at Squid level, assuming, e.g., wifi users can be identified by their IP address. Or the opposite, that one can identify all "domain members" based on their IP address (e.g. range matching DHCP range for domain members).

Although I don't know how to translate it into "pfSense" syntax as I'm not using pfSense Squid package, authentication in Squid is based on ACL requiring authentication. But you may add another ACL (based on IP range for instance) permitting access without being authenticated.

This could be a workaround. Not perfect because based on IP address but assuming I understand what you describe, this is quite close.

klajosh2

ok. I will give try and will come back with my solution.