Zentyal Forum, Linux Small Business Server
Zentyal Server => Other modules => Topic started by: Ret on November 09, 2021, 10:49:01 pm
-
I've been using Zentyal 2.2 for a long time but now I'm preparing to migrate to 7.0
I've installed 7.0 but I'm experiencing problems with proxy module:
I need to use a filter profile that lets a group of users surf only to specific sites. So I add those domains in a list with their " allow" rules. I also enable the checkbox "Block not listed domains and URLs".
The problem is that all borwsers keep on asking for login credentials. (Same issue experienced by this users: https://forum.zentyal.org/index.php?topic=22446.0 )
I think I've found the solution.
According to Squid Wiki: https://wiki.squid-cache.org/action/show/Features/Authentication?action=show&redirect=SquidFaq%2FProxyAuthentication
we could use the "all" hack in squid.conf. That is, we should add "all" at the end of the deny ACL
excerpt from original squid.conf
http_access allow authorized grp~MYGROUP fltr2~df~dmn1
http_access deny authorized grp~MYGROUP
fixed squid.conf
http_access allow authorized grp~MYGROUP fltr2~df~dmn1
http_access deny authorized grp~MYGROUP all
With this last line squid accepts login credentials from browsers and let users surf to the allowed domains and deny all others. There are no more endless login popups.
Developers: do you think you could add this fix (or a proper one) ?
Thank you!
-
You should report this bug and provide the solution and the details you can in Github.
* https://github.com/zentyal/zentyal/issues
--
“This world is ours, and by the Holy Light we will keep it safe, now and forever"
-
UPDATE: Better solution
After using my "all" workaound I've run into a new problem: When a user belongs to multiple groups and those groups have to different profile rules. If any of those profiles uses whitelists that block sites " not listed", squid won't let the user access sites that were whitelisted in another profile.
So, the solutions I've foiund is to remove the lines "http_access deny authorized grp~MYGROUP" altogether. That's because there's already a rule denying all access to everyone at the end of squid.conf and this way; So that will let squid check if a user can access domains that are whitelisted in a different group before denying access.
Hope this helps!!