SQUID-Cache
Auth with Valid System USER with IP TTL
Written by Myung-Oh OH in DGTALX.NET
Date 2004-01-26
Squid Basic auth support SASL, PAM auth
but basic auth have some problem.
I always get request of auth everytime new IE browser or launch multiple
instance. it's very inconveniences thing. So i'm writing this howto.
This howto supports Valid System User + IP TTL Auths
*NOTE* this program based on Squid 2.5
I don't secure this howto from security problem, setuid exploits.
Procedures --
1st phase - Launching New IE -> check ip ttl -> ACCESS DENY Page -> PHP
Program -> Check valid user (pam) -> ACCESS OK (when add user's ip) 2nd
phase - Launching New IE -> check ip ttl -> ACCESS OK
Step one. Edit Squid configuration file
NOTE : AUTH.DGTALX.NET is just sample Example don't use this setting in your
site,
you'll need to add a new virtual host to your domain and modify this
config.
acl IPAUTH src "/www/auth.dgtalx.net/ip_auth"
acl AUTHURL dstdomain "auth.dgtalx.net"
http_access allow AUTHURL
http_access allow IPAUTH
http_access deny !IPAUTH
deny_info ERR_CACHE_ACCESS_DENIED IPAUTH
error_directory /usr/local/squid/share/errors/English
forwarded_for on
(allow unauthorated user to view auth.dgtalx.net site, but other site can't)
Step two. Edit ERR_CACHE_ACCESS_DENIED
use vi, pine editor
add below line to anywhere.
<A HREF="http://auth.dgtalx.net/auth.php?URI=%U">Login to cache server</a>
Step Three. Patch SASL AUTH
in your squid source directory
$ cd helpers/basic_auth/SASL
$ vi sasl_auth.c
then find this line
setvbuf(stdout, NULL, _IOLBF, 0);
patch this line to
setvbuf(stdout, NULL, _IONBF, 0);
(IOLBF -> IONBF)
this can control to fifo node
Step Four. install SASL auth
in your squid source directory
$ ./configure --enable-basic-auth-helpers="SASL"
$ cd helpers
$ make
$ make install
Step Five. configuration SASL auth
Make squid_sasl_auth.conf file to /usr/lib/SASL
$ echo "pwcheck_method:pam" > /usr/lib/SASL/squid_sasl_auth.conf
copy pam control file to /etc/pam.d
$ cp /your squid source directory/helpers/basic_auth/SASL/squid_sasl_auth
/etc/pam.d
Complete
Step Six. Configure Apache virtual host
this step make a new virtual host for unauthorazation user access.
<VirtualHost dgtalx.net>
DocumentRoot /www/auth.dgtalx.net
ServerName auth.dgtalx.net
</VirtualHost>
(i think you will need to add cgi control tag here)
Step Seven. Make php file
input below content to your phpfile
=============== CUT LINE ==================
<?
function authenticate() {
Header( "WWW-authenticate: basic realm=\"X-Network Cache Server\"
");
Header( "HTTP/1.0 401 Unauthorized");
$title= "Don't Try it - Invalid Login";
?>
Only for valid system user
<?
exit;
}
if(!isset( $_SERVER['PHP_AUTH_USER'] ) ) {
authenticate();
} else {
$php_auth_us = $_SERVER['PHP_AUTH_USER'];
$php_auth_pw = $_SERVER['PHP_AUTH_PW'];
$passvar = popen("/www/auth.dgtalx.net/sasl_auths > sasl_get", 'w'); if
(!$passvar) {
echo "login failed";
exit;
}
fputs($passvar, "$php_auth_us $php_auth_pw\n");
$fo = fopen("sasl_get", "r");
if ( !$fo ) echo "login failed";
$readvar = fread($fo, 100);
fclose($fo);
pclose($passvar);
if ( $readvar == "OK" ) {
$host = getenv("HTTP_X_FORWARDED_FOR");
echo "IP - $host Access Granted";
$iplog = "$host\n";
$fp=fopen("ip_auth", 'a+r');
$iplist=fread($fp, filesize("ip_auth"));
if ( eregi($host, $iplist) ) { echo "<BR>your ip already logged"; } else {
fwrite($fp, $iplog, strlen($iplog));
fclose($fp);
sleep(1);
system("./squid -k reconfigure");
header("Location: $uri");
}
}
else echo "login failed";
}
?>
===========================================
Step Eight. Make fifo node
$ cd /www/auth.dgtalx.net
$ mkfifo sasl_get
$ chmod 660 sasl_get
$ chown nobody.nobody sasl_get
(this effective user and group must follows apache setting)
Step Nine. Copy binary files
$ cp /usr/local/squid/sbin/squid /www/auth.dgtalx.net/
$ cp /usr/local/squid/libexec/sasl_auth /www/auth.dgtalx.net/
$ cd /www/auth.dgtalx.net
$ chown root.nobody sasl_auth
$ chown nobody.nobody squid
$ chmod 4750 sasl_auth
$ chmod 4750 squid
Step Ten. Starting Squid
you must start squid daemon to user nobody (or your apache effective user)
$ sudo -u nobody /usr/local/sbin/squid
Step Eleven. Add to crontab
6 is ip TTL, this code will clear ip list csv data. (ip_auth)
$ crontab -e -u nobody
input this line
0 6 * * * echo "127.0.0.1" > /www/auth.dgtalx.net/ip_auth ;
/usr/local/squid/sbin/squid -k reconfigure
Complete. good luck to you
(I'm writing this howto to multi-language English, Korean, Japanese)
www.dgtalx.net -> Linux HowTo check the other language
Received on Sun Feb 01 2004 - 02:10:01 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:01 MST