I'm setting squid up with squidGuard to act as a content filter.
I'd like to configure squid so that by default users' web traffic flows through squidGuard. E.g. users browsing on a desktop, or a laptop roaming around on our wireless.
If the user optionally authenticates (somehow), then for a period of time their internet is filtered differently based on which user authenticated. E.g. someone in charge of our social networking presence should be allowed to browse facebook.
Ideally I'd really like it if squid did not prompt for authentication at all. Requiring users who need custom filtering to visit a certain URL or some other method to authenticate while leaving the proxy as transparent to the normal users as possible is my design goal.
Some ideas I've seen so far include:
- Using Basic Authentication - I don't like this solution as it will pop up a login window for users.
- Writing a custom external_acl_type handler - I will if I have to, but I'd rather have an off-the-shelf solution.
Any advice on where to look next?
One way I could think of is certainly possible, but likely way to involved for a home network: Kerberos or something similar.
Set up either a Windows Server with Active Directory or a Samba Server with LDAP and Kerberos auth. Log your users into this, and use a compatible browser. Squid will detect the user is already authenticated and who he is and act accordingly.
There are config examples for this on the Squid site.
You could simply run two copies of Squid, with different rules, one with authentication and one without.