On 08/08/06, Owen O' Shaughnessy <owen.oshaughnessy at gmail.com> wrote:
> On 8/8/06, Barry O'Donovan wrote:
> > I would think that the real problem you may have with using Squid is
> > actually
> > kicking the user off once their time has expired.
>> I don't percieve that to be a problem, can do ip address acl
> manipulation without having to restart squid (or at least my memory
> tells me so), so i don't believe any other acl is going to be
You shouldn't even have to do that much.
Proxy authentication works because the browser sends the credentials
with every http request, and squid (in theory) checks the credentials
against the authenticating service for every request. Unless the
authenticator okays it, the request is denied.
In practice, in order to avoid hammering the authenticator, squid
caches credential validity for a time period -- so if the first
request has valid credentials, any subsequent request with the same
credentials is accepted by squid without it talking to the back-end.
Lower the credential cache time to a couple of minutes, and your users
may get 62 minutes of access instead of 60, but they won't get
And the proxy authentication failure error message is clear enough
that the user should know what to do in order to continue.
This all assumes that the browser knows it is using a proxy -- it is
not clear to me that "transparent proxy with user authentication" is
something you can expect to work unless you control all of the
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!