Here is a suggestion, if someone knows how to port a Perl script to C
please? I am not that good with C but require the speed of it.
I know the Transparent Proxy you can't authenticate to due to the nature of
the Proxy login system. But here is an alternative which will satisfy the
login scheme as well as support the Transparent proxy. So now you can use
redirectors which use the SQUID redirectory interface BUT chnage the user
ID based on thier IP address... now here is the clintcher, it has to do the
IPADDRESS->username lookup on EVERY REQUEST!
This is to allow DYNAMIC name changes (login/logout) as well as change of
security permissions. The login/logout facility would be handled via a web
page CGI script which would post the IPaddress (of the user requesting
change in access) and the new USER ID to use.
The USERID's would be along the lines of: ACL TAGS, so depending on the
userid you can use (in this aspect, I am using SquidGuard) the redirectors
ACL lists to allow certain UserID's (and in the mean time forget totally
about the IP ADDRESS in the redirector).
Now the redirector can have STATIC security levels and once a user logs
into the security page, can depending on their credentials it will publish
a userid with a unique meaning, for example, allow access to GAMBLING sites
if that were blocked via the redirector.
Here is how I implemented the system using perl, i borrowed a perl script
from another package by Cameron Simpson <cs@zip.com.au> "ZAPCHAIN" to chain
2 redirectors together. then my Perl script:
#!/usr/bin/perl
$|=1;
$accessfile = "/usr/local/squid/etc/ipguard.acc";
while(<>) {
$a = $_;
#$u = URL $h = HOST $usr = USER/FQDN $met = METHOD
($u,$h,$usr,$met) = split(/ /,$a);
($ip,$fqdn) = split(/\//,$h);
open (FILE,"<$accessfile");
@a = <FILE>;
close(FILE);
foreach $a (@a) {
chomp($a);
($alip,$alusr) = split(/:/,$a);
if ($alip eq $ip) { $usr = $alusr; }
}
print STDOUT "$u $ip/$fqdn $usr $met\r";
}
The accessfile contains 2 items: IPADDRESS & USERNAME.
If the ipaddress is in the list change Squid's username to the one
specified in the file, otherwise pass the old username.
Now to expire userid's (and change them back to the default security) and
even escalate their access higher all you have to do is change the username
for their IP address.
And now you don't have to SIGHUP the squid process or any of its
redirectors, since its reading the file every time. I know this puts a
burden on the OS and the file system but to allow dynamic user level
changes without restarting the server its pays the price!!
Please people tell me what you think about this idea, and weather or not
someone can implement the PERL code into C for me??
Received on Tue Jul 02 2002 - 13:56:13 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:00 MST