[KLUG Members] Squid

[Adam Tauno Williams]

> the proxy runs without ny errors but clients can access net without any
> authentication.....
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access allow localhost
> http_access allow lan  <-----------------*******
> http_access deny all
> miss_access allow all

* Your lan definition is "acl lan src
192.168.0.75-192.168.0.77/255.255.255.255",  this allows everyone.

I don't even know what NCSA authentication is, but I think this is more
about ACL declaration that a specific authentication mechanism.

Ours for LDAP looks like -
...
auth_param basic program /usr/lib/squid/squid_ldap_auth -b "o=Morrison
Industries,c=US" -h littleboy -f "(&(objectclass=posixAccount)(uid=%s))"
-s sub
auth_param basic children 5
auth_param basic Realm Squid proxy-caching web server
...
external_acl_type ldap_group concurrency=10 %
LOGIN /usr/lib/squid/squid_ldap_match -b "o=Morrison Industries,c=US" -f
"(&(objectclass=posixGroup)(memberuid=%u)(cn=%g))" -s sub -P -h
littleboy
acl ldap_internet external ldap_group internet
acl public_list url_regex "/etc/squid/public_list.text"
acl ban_list url_regex "/etc/squid/ban_list.text"
....
http_access deny ban_list
http_access allow public_list
http_access allow ldap_internet
http_access deny all

Here
1st - A text file with a list of banned sites (banned for everyone, no
exceptions: Webshots & AOL!)
2nd - A text file with a list of public sites, anyone can visit these,
no authentication required.
3rd - Anything not matched by 1 or 2 can be accessed by providing a
username and password provided your a member of the posixGroup
"internet"

Anyway, I hope that helps as a template in how to create an ACL the
requires some authentication.