Re: [squid-users] authenticate_program

From: Robert Collins <robert.collins@dont-contact.us>
Date: Sun, 27 May 2001 11:46:37 +1000

----- Original Message -----
From: "Matt Johnson" <mjohnson@iblp.org>
To: "'Robert Collins'" <robert.collins@itdomain.com.au>;
<squid-users@squid-cache.org>; <squid-dev@squid-cache.org>
Sent: Sunday, May 27, 2001 11:41 AM
Subject: RE: [squid-users] authenticate_program

> My directory contains specific IPs, and specific URLs that a user has
access
> to, and I am wanting to authenticate a user based on that information.
So,
> getting the IP, and URL passed to my authentication program is a must.
I
> just have to figure out how to make Squid do this. :-)

Technically, you want to _authorise_ not _authenticate_.

I've not cc'd the dev list, as this is already handled by squid :]

> As I get into it more, its kinda sounding like the best method would
be to
> make a way for SOME parts of access control to be handled by an
external
> program, rather than modifying the way that proxy authentication is
handled.
>
> The End Goal:
> Give external program all the information it needs to decide if the
page
> should be rejected or delivered to the requestor. That could include
> username, password, IP, URL, or ? if there was any other information
> available about the request. A rejection or denial of the access would
work
> for starters, but it would also be nice to be able to give conditions
for
> why the request was rejected, and a set of different actions to take
for
> them.

redirectors are your friend. here's how you set it up.
setup a basic auth helper. This simply takes a username:password pair,
and confirms that that is valid. This is triggered via the proxy_auth
acl in squid. You are able to have squid perform per user IP and URL
checks, or if you have some dynamic system (ie a mysql database) you
could use on of the patches that has been floated in the past to have
squid read it's acls from the database, or...

squid can send every request, including the username and IIRC the user
ip address to a external helper that can rewrite the URL and return it
to squid. So you can do fancy denied messages by sending a 301 that
points to your custom denied message.

Rob

> Matt
>
>
> |-----Original Message-----
> |From: Robert Collins [mailto:robert.collins@itdomain.com.au]
> |Sent: Saturday, May 26, 2001 8:15 PM
> |To: Matt Johnson; squid-users@squid-cache.org;
> |squid-dev@squid-cache.org
> |Subject: Re: [squid-users] authenticate_program
> |
> |
> |----- Original Message -----
> |From: "Matt Johnson" <mjohnson@iblp.org>
> |To: <squid-users@squid-cache.org>; <squid-dev@squid-cache.org>
> |Sent: Sunday, May 27, 2001 5:09 AM
> |Subject: [squid-users] authenticate_program
> |
> |
> |> I am wanting to use an external program to authenticate users
> |accessing my
> |> squid proxy server.
> |>
> |> One thing that I need to do is to have the IP address of the user
to
> |be
> |> passed to my external authentication program.
> |>
> |> I'm wanting to know if there is a way I can do this in the
squid.conf
> |file,
> |> or if it requires customizing the squid source code. If I need to
> |customize
> |> the source code, anyone have any suggestions on where to start?
> |
> |You need to alter the squid-basic auth helper protocol. See
> |authenticate.c (2.4 and before) or src/auth/basic/auth_basic.c
> |(2.5dev).
> |You also need to alter the in-squid logic to allow squid to treat two
> |users with the same name as different if they have different IP's.
> |
> |> It would be rather nice if you could do something like:
> |> authenticate_program /home/mjohnson/code/auth.pl %IPADDRESS%
> |
> |That cannot work. You only have one authenticate_program.
> |
> |> Any suggestions on how to do this would be appreciated.
> |
> |I'd suggest you revisit the need for the ip address. The authenticate
> |helper is meant for _authentication_ not _access control_. If the IP
> |address is part of logging the user into your user directory, then it
> |makes sense. If not, I suspect you will be making things more
difficult
> |for yourself.
> |
> |Rob
> |
> |> Matt Johnson
> |>
> |
>
Received on Sat May 26 2001 - 19:47:12 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:19 MST