Re: external ACL

From: Robert Collins <robert.collins@dont-contact.us>
Date: 03 Aug 2001 08:41:46 +1000

On 19 Jul 2001 23:23:00 +0200, Henrik Nordstrom wrote:
> Robert Collins wrote:
>
> > > Or 4, make challenge processing/generation/IP verification more cleanly
> > > separated from the proxy_auth ACL match.
> >
> > I've no objection to tweaking/refactoring/whateveryouwanttocallit the
> > abstraction. It's not quite right as it is. I have some pending work in ntlm
> > that will affect such rearrangements - I'll try and get it finished up asap,
> > and see if I can rearrange the logic at the same time.
>
> Good.

Done, and contained in the patch sent in last night.

> > I don't think the IP verifcation should be tied to the authentication too
> > tightly - the whole point of external acl's as I understood was to allow
> > more custom processing. Thoughts here?
>
> We can split it by moving the IP check to it's own ACL. The main reason
> to why it is merged into proxy_auth is because it was very simple to do
> so at the time.
>
> Actually, splitting it is probably a good idea. Both from a code
> perspective and from a configuration perspective. The code gets cleaner,
> and the configuration more flexible.

Also done.

> The strict mode is fairly straight forward to implement. Simply have a
> ACL that denies accesses from another IP while the IP TTL is still
> fresh.

Done - but better still - strict can be strictly 2 ip's. I.e. allow 2 ip
address's but no more than 2. Strict denies the request above n ip's.
Non-strict denies the request and flushes the cache when more than n
ip's are seen.

> If split, we would end up with 3 ACL types that require a valid
> authenticated user id (proxy_auth, proxy_auth_regex, one_ip_per_user)
> plus the external ACL type that may require a valid authenticated user
> id.

I haven't added the external auth, but you should be able to do that
quite easily now. You need to duplicate the code in the aclMatchAcl case
statement for the proxy_auth, proxy_auth_regex and max_user_ip case. You
need to duplicate that because external auth doesn't _always_ require
authentication..

Rob
 

>
> --
> Henrik
Received on Thu Aug 02 2001 - 16:38:58 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:09 MST