bypass authentication for a specific URL with squid and webmin

If you need to setup some webmin rule for bypassing authentication for a specific URL, it’s VERY easy to setup.

This is something that can be needed if you have a windows server behind a proxy and that server needs direct access to the internet in order to be activated:

Activation fails when you try to activate Windows 2008 over the Internet… 

So in this kb note microsoft is recommending you to modify your proxy server rule. Thank you Microsoft, this is really lame but thanks to your mediocrity I learned something new today.

My organization is using webmin to administer some of the linux servers. The folks here have tons of servers to manage and they are not really good at everything so using webmin can save them a lot of time.

First we need to open webmin and find the Squid section.
Click on "Servers". Then click on "Squid Proxy Server". Then click on "Access Control"
Now we need to create an ACL (Access Control List).
Go at the bottom of the page and click on the drop box and choose "URL Regexp"

What Microsoft recommends you to filter out is the following:

 
-http://go.microsoft.com/
-https://sls.microsoft.com/
-https://sls.microsoft.com:443
-http://crl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crl
-http://crl.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunications.crl
-http://www.microsoft.com/pki/crl/products/MicrosoftProductSecureCommunications.crl
-http://crl.microsoft.com/pki/crl/products/MicrosoftProductSecureServer.crl
-http://www.microsoft.com/pki/crl/products/MicrosoftProductSecureServer.crl
-https://activation.sls.microsoft.com

Then you need to make a choice:
– MS is not so bad, you will just let anyone on your network access *.microsoft.com
or
– MS is evil, you don’t trust them, you don’t like them, you will only give access to these URLs and nothing else. 

If you choose the first solution of course you have the possibility to enable the ACL when needed and turn it off when it is not needed anymore.
If you choose the second possibility, you will have peace of mind once the operation is done, but it will probably take you a bit more time to turn on the rule. Plus you’re on your own to create the rule because I went for the first option.

So click on the button "Create new ACL"
choose a name for your ACL, try to avoid blanks or spaces or special characters.
In the next field you can type

 
.microsoft.com

In the Failure URL field you don’t need to type anything.

Now you have an ACL. You need to enable it.
On the right side of the screen, click on "Add Proxy Restriction"
Choose your new ACL. Choose "Allow" and validate.
Then you need to position your new ACL higher than your authentication rule in the list of restrictions. Use the little arrows on the right side of the list.

Once you’re done, click on "Apply changes" at the bottom of the page.

You can test by trying to go to www.microsoft.com
Be careful about something. There is a good chance that it will still ask you for credentials. This is because there are external objects on the page you are loading and they are not coming from *.microsoft.com.
Just click on cancel once or twice and you should be sorted.


One comment on “bypass authentication for a specific URL with squid and webmin

  1. Riki kusn says:

    It’s working. many thanks for sharing

Leave a Reply to Riki kusn Cancel reply

Your email address will not be published. Required fields are marked *