Ok. As you are not the first to ask for this feature I took some
time to implement it in a generic fashion.
Note: the changes to cf.data.pre has to be applied manually due to
conflicts with other major changes I have made to my cf.data.pre file..
to lazy to make a clean Squid-2.3.STABLE1 patch.
I have not tested the patch much, but it should work..
-- Henrik Nordstrom Squid Hacker http://squid.sourceforge.net/hno/ S.THOMAS wrote: > Strict mean i want to strictly allow only one m/c within the > ip_authenticate_ttl time. I tried some code changes in acl.c, > but lot of errors. It would be thankful if you can send me the > code changes where i have to make. I am not expert in code analyse.
* squid-2.3.STABLE1.strict_authenticate_ip_ttl.patch *
Sat Feb 19 10:49:41 CET 2000
Modified Files in squid/src
cf.data.pre acl.c structs.h
Changed ip_authenticate_ttl to have an strict option, enforcing that the
user comes from one IP address only.
-----------------------------------------------------------------
Index: squid/src/cf.data.pre
diff -u squid/src/cf.data.pre:1.1.1.42.6.9 squid/src/cf.data.pre:1.1.1.42.6.10
--- squid/src/cf.data.pre:1.1.1.42.6.9 Sun Jan 23 00:59:04 2000
+++ squid/src/cf.data.pre Sat Feb 19 10:49:39 2000
@@ -995,20 +995,19 @@
DOC_END
NAME: authenticate_ttl
-TYPE: int
-DEFAULT: 3600
+TYPE: time_t
+DEFAULT: 1 hour
LOC: Config.authenticateTTL
DOC_START
- The time a checked username/password combination remains cached
- (default 3600). If a wrong password is given for a cached user,
- the user gets removed from the username/password cache forcing
- a revalidation.
+ The time a checked username/password combination remains cached.
+ If a wrong password is given for a cached user, the user gets
+ removed from the username/password cache forcing a revalidation.
DOC_END
NAME: authenticate_ip_ttl
-TYPE: int
+TYPE: time_t
LOC: Config.authenticateIpTTL
-DEFAULT: 0
+DEFAULT: 0 seconds
DOC_START
With this option you control how long a proxy authentication
will be bound to a specific IP address. If a request using
@@ -1019,10 +1018,14 @@
yet allow a dialup user to reconnect on a different dialup
port.
+ If the TTL is set to a negative value then the check is
+ strict, completely denying access from other IP addresses
+ until the TTL has expired.
+
The default is 0 to disable the check. Recommended value
- if you have dialup users are no more than 60 (seconds). If
+ if you have dialup users are no more than 60 seconds. If
all your users are stationary then higher values may be
- used.
+ used, or even strict checking.
DOC_END
COMMENT_START
Index: squid/src/acl.c
diff -u squid/src/acl.c:1.1.1.40.6.2 squid/src/acl.c:1.1.1.40.6.3
--- squid/src/acl.c:1.1.1.40.6.2 Sun Jan 16 03:40:46 2000
+++ squid/src/acl.c Sat Feb 19 10:49:40 2000
@@ -1112,7 +1112,7 @@
/* store validated user in hash, after filling in expiretime */
xstrncpy(checklist->request->user_ident, user, USER_IDENT_SZ);
auth_user->expiretime = current_time.tv_sec + Config.authenticateTTL;
- auth_user->ip_expiretime = squid_curtime + Config.authenticateIpTTL;
+ auth_user->ip_expiretime = squid_curtime + abs(Config.authenticateIpTTL);
auth_user->ipaddr = checklist->src_addr;
hash_join(proxy_auth_cache, (hash_link *) auth_user);
/* Continue checking below, as normal */
@@ -1133,7 +1133,7 @@
debug(28, 5) ("aclMatchProxyAuth: user '%s' previously validated\n",
user);
/* Update IP ttl */
- auth_user->ip_expiretime = squid_curtime + Config.authenticateIpTTL;
+ auth_user->ip_expiretime = squid_curtime + abs(Config.authenticateIpTTL);
auth_user->ipaddr = checklist->src_addr;
/* copy username to request for logging on client-side */
xstrncpy(checklist->request->user_ident, user, USER_IDENT_SZ);
@@ -1149,11 +1149,16 @@
} else {
/* user has switched to another IP addr */
debug(28, 1) ("aclMatchProxyAuth: user '%s' has changed IP address\n", user);
- /* remove this user from the hash, making him unknown */
- hash_remove_link(proxy_auth_cache, (hash_link *) auth_user);
- aclFreeProxyAuthUser(auth_user);
- /* require the user to reauthenticate */
- return -2;
+ if (!Config.authenticateIpTTL > 0) {
+ /* remove this user from the hash, making him unknown */
+ hash_remove_link(proxy_auth_cache, (hash_link *) auth_user);
+ aclFreeProxyAuthUser(auth_user);
+ /* require the user to reauthenticate */
+ return -2;
+ } else {
+ /* Strict TTL is set. Deny the "other" user access */
+ return 0;
+ }
}
} else {
/* password mismatch/timeout */
Index: squid/src/structs.h
diff -u squid/src/structs.h:1.1.1.45.4.12 squid/src/structs.h:1.1.1.45.4.13
--- squid/src/structs.h:1.1.1.45.4.12 Wed Feb 2 23:32:27 2000
+++ squid/src/structs.h Sat Feb 19 10:49:40 2000
@@ -320,8 +320,8 @@
#endif
int redirectChildren;
int authenticateChildren;
- int authenticateTTL;
- int authenticateIpTTL;
+ time_t authenticateTTL;
+ time_t authenticateIpTTL;
struct {
int single_host;
char *host;
Received on Sat Feb 19 2000 - 07:23:10 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:51:20 MST