Re: [squid-users] authenticate_program

From: David Flynn <Dave@dont-contact.us>
Date: Mon, 28 May 2001 19:09:54 +0100

RE: [squid-users] authenticate_programRE: [squid-users]
authenticate_programRE: [squid-users]
authenticate_programHi Matt,
    i dont know if this would be of any use (anyone feel free to offer
comments about the system). Ive been developing some software and ideas for
a while for a similar system for potential use in a school environment. The
system is in an early alpha stage (weve already done one production run with
some prommising results (it finished last week)). The way the system works
is as follows:

We dont do anything with squid, we leave squid as a caching proxy.
I implemented a daemon that acts as the "front end" to the squid cache, so
when a client comes allong, it sends its request to our daemon (called TPd),
this then performs identification based on several possible methods (only
one is 'working' at the moment), then some SQL is used to check to see if
the request is allowed etc ... if it isnt, an access denied page is
constructed and sent back to the client, if it is allowed, the request is
forwarded to squid.

The current identification method is for use on an NT network (this has been
implemented first as the school we are basing the development of this around
uses NT) where a centeral server is notified of login's by use of a login
script, and some yet to come jiggery pokery magic. NetBios is used as the
naming system for workstations in this model. User details are grabbed from
the NT DC's by use of RPC calls ...

As the system is more so designed for schools, it allows access control with
any combination of the following parameters :
+ the site uri
+ the access times
+ the user's name
+ the workstation

so you can limmit users from a particular site on a particular workstatoin
at a particular time, or just a particuler site on a particular workstation,
its all interchangable.

if any of this sounds interesting, or if anyone has anycomments, please do
air them

Thanks,

Dave

PS: I havnt made much of the workings clear, and what i have said is in a
rather hap hazzard way, mainly due to the fact its now 0036 and i am long
overdue on some sleep ...

nite :-)
---------------------------------------
The information in this e-mail and any files sent with it is confidential to
the ordinary user of the e-mail address to which it was addressed and may
also be legally privileged. It is not to be relied upon by any person other
than the addressee except with the sender's prior written approval. If no
such approval is given, the sender will not accept liability (in negligence
or otherwise) arising from any third party acting, or refraining from
acting, on such information. If you are not the intended recipient of this
e-mail you may not copy, forward, disclose or otherwise use it or any part
of it in any form whatsoever. If you have received this e-mail in error
please notify the sender immediately, destroy any copies and delete it from
your computer system. Have a nice Day !
---------------------------------------------

----- Original Message -----
From: Matt Johnson
To: 'Robert Collins' ; squid-users@squid-cache.org ;
squid-dev@squid-cache.org
Sent: Sunday, May 27, 2001 2:41 AM
Subject: RE: [squid-users] authenticate_program

My directory contains specific IPs, and specific URLs that a user has access
to, and I am wanting to authenticate a user based on that information. So,
getting the IP, and URL passed to my authentication program is a must. I
just have to figure out how to make Squid do this. :-)
As I get into it more, its kinda sounding like the best method would be to
make a way for SOME parts of access control to be handled by an external
program, rather than modifying the way that proxy authentication is handled.
The End Goal:
Give external program all the information it needs to decide if the page
should be rejected or delivered to the requestor. That could include
username, password, IP, URL, or ? if there was any other information
available about the request. A rejection or denial of the access would work
for starters, but it would also be nice to be able to give conditions for
why the request was rejected, and a set of different actions to take for
them.
Matt

|-----Original Message-----
|From: Robert Collins [mailto:robert.collins@itdomain.com.au]
|Sent: Saturday, May 26, 2001 8:15 PM
|To: Matt Johnson; squid-users@squid-cache.org;
|squid-dev@squid-cache.org
|Subject: Re: [squid-users] authenticate_program
|
|
|----- Original Message -----
|From: "Matt Johnson" <mjohnson@iblp.org>
|To: <squid-users@squid-cache.org>; <squid-dev@squid-cache.org>
|Sent: Sunday, May 27, 2001 5:09 AM
|Subject: [squid-users] authenticate_program
|
|
|> I am wanting to use an external program to authenticate users
|accessing my
|> squid proxy server.
|>
|> One thing that I need to do is to have the IP address of the user to
|be
|> passed to my external authentication program.
|>
|> I'm wanting to know if there is a way I can do this in the squid.conf
|file,
|> or if it requires customizing the squid source code. If I need to
|customize
|> the source code, anyone have any suggestions on where to start?
|
|You need to alter the squid-basic auth helper protocol. See
|authenticate.c (2.4 and before) or src/auth/basic/auth_basic.c
|(2.5dev).
|You also need to alter the in-squid logic to allow squid to treat two
|users with the same name as different if they have different IP's.
|
|> It would be rather nice if you could do something like:
|> authenticate_program /home/mjohnson/code/auth.pl %IPADDRESS%
|
|That cannot work. You only have one authenticate_program.
|
|> Any suggestions on how to do this would be appreciated.
|
|I'd suggest you revisit the need for the ip address. The authenticate
|helper is meant for _authentication_ not _access control_. If the IP
|address is part of logging the user into your user directory, then it
|makes sense. If not, I suspect you will be making things more difficult
|for yourself.
|
|Rob
|
|> Matt Johnson
|>
|
Received on Mon May 28 2001 - 12:10:09 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:19 MST