If a user is authenticated at the proxy you cannot “log out” and re-authenticate. The user usually has to close and re-open the browser windows to be able to re-login at the proxy. A simple configuration will probably look like this:
acl my_auth proxy_auth REQUIRED http_access allow my_auth http_access deny all
But there is a trick which can force the user to authenticate with a different account in certain situations. This happens if you deny access with an authentication related ACL last in the http_access deny statement. Example configuration:
acl my_auth proxy_auth REQUIRED acl google_users proxyauth user1 user2 user3 acl google dstdomain .google.com http_access deny google !google_users http_access allow my_auth http_access deny all
In this case if the user requests www.google.com then first second http_access line matches and triggers re-authentication unless the user is one of the listed users. Remember: it’s always the last ACL on a http_access line that “matches”. If the matching ACL deals with authentication a re-authentication is triggered. If you didn’t want that you would need to switch the order of ACLs so that you get http_access deny !google_users google.
You might also run into an authentication loop if you are not careful. Assume that you use LDAP group lookups and want to deny access based on an LDAP group (e.g. only members of a certain LDAP group are allowed to reach certain web sites). In this case you may trigger re-authentication although you don’t intend to. This config is likely wrong for you:
acl ldapgroup-allowed external LDAP_group PROXY_ALLOWED http_access deny !ldapgroup-allowed http_access allow all
The second http_access line would force the user to re-authenticate time and again if he/she is not member of the PROXY_ALLOWED group. This is perhaps not what you want. You rather wanted to deny access to non-members. So you need to rewrite this http_access line so that an ACL matches that has nothing to do with authentication. This is the correct example:
acl ldapgroup-allowed external LDAP_group PROXY_ALLOWED http_access deny !ldapgroup-allowed all http_access allow all
This way the http_access line still matches. But it’s the all ACL which is now last in the line. Since all is a static ACL (that always matches) and has nothing to do with authentication you will find that the access is just denied
Tags:accesses, account, acl, authenticate, authentication, bases, config, configuration, configure, configured, difference, google, group, listing, log, logging, logs, rewrite, sites, squid, switch, user, what, Windows
you can also grab the RSS feed or Subscribe to Techgurulive by Email
