Thank You for great product and support!
I have need to disable web access for one user group who will never use it and only functionality they need is mapped network drive, which they have.
For security reasons I want everyone who uses web access to user TOTP, but it is a bit problematic to make and configure it for all those who does not use it.
Can I disable web access for user somehow to allow them to use their LDAP passwords for mapping WebDAV only without TOTP and if they decide to use WEB, we force them to use TOTP and use App passwords for WebDAV?
Thank You for reply, but mistake me if I am wrong. Squid can make blocks on host level not on user level…
All my users are stored in Active Directory.
In my situation there are some users who are mobile, but need access to some files and I taught it would be nice to give them Web access if they would use TOTP.
Negative, you can authenticate users in squid against your LDAP if you want to. If you’re working with mobile users and AD policies you also could assign your proxy globally to your Windows clients with netsh if you’re using an open proxy:
netsh winhttp set proxy proxy-server="yourproxy:8080"
Said this I would think twice before bounding a firewall/proxy to internal LDAP. I would recommend local user/group credentials for default-users with tight restictions and power-users without restictions for instance.
IMHO VPN is not suitable for controlling web access. You gain access to an internal net yes, but then you are sitting in front of the same problem: how to restrict web access. In the meantime malware is creeping in your network.
So indeed a combination of VPN and squid with LDAP auth would work. But then all http traffic would go through your proxy. This would raise the question how good is your internet connection?