Mix Authenticated and Non Authenticated Proxy Users¶
We are trying to achieve the following scenario - a group of servers needs to access only specific set of URLs and all other proxy users need to be authenticated and filtered by different policies based on their Active Directory group membership. Is it possible?
Yes this is possible and can be achieved by the following configuration.
Enable proxy authentication in UI / Squid / Auth, for more information see the article Integration with Microsoft Active Directory. This will require all proxy users to authenticate.
Identify your servers somehow, usually this is done by keeping IP addresses of your servers in the same subnet. Let it be subnet 192.168.4.0/24 for our example.
Exclude given server subnet from authentication in UI / Squid / Exclusions / by Authentication. This allows connections from the server subnet to the proxy to be non-authenticated.
Add the server subnet to the UI / Web Filter / Policies / Locked Policy/ Members by Subnet. Configure the locked policy as needed allowing connections to a handful of web sites and blocking all others.
Configure other policies by Active Directory group memberships as required.
Click Save and Reload in the Admin UI.
The connections from server subnet will not be authenticated and will be filtered by the Locked policy. All other connections will be authenticated and filtered by configured policies. Exactly as required.