Re: [squid-users] Authenticating users with a webpage form

From: Hugo Monteiro <hugo.monteiro@dont-contact.us>
Date: Mon, 03 Dec 2007 16:29:49 +0000

Taylor Jones wrote:
> Hello,
>
> I read the guidelines for this mailing list, and I really do hope I'm
> not asking a question you've all heard a million times. If I am, feel
> free to berate me, I probably deserve it.
>
> I am looking for a way to use a webpage with a GET/POST form to get
> the user's name and password for authentication instead of the pop-up
> that the user receives by default. I realize that this is just an
> aesthetic kind of thing, but I'm nothing if not obsessive, and I hate
> that I can't tell a user where he is and what he needs to do to gain
> access to our proxy server. Honestly, this shouldn't be that hard to
> implement, I just don't really know where I should start. Any help you
> guys could give me would be much appreciated!
>
>

Hello,

I have something similar working, through the use of a small helper
written originally by Steffen Dettmer, and available here:

http://sws.dett.de/squid-IP_AUTH.shtml

That information is a bit old. Though it works and the best part is that
the patch the he makes available is no longer required (i'm using 2.6.5
from Debian Etch). You only have to set up the helper program.

That said, i post here my relevant squid configuration lines.

# Define the helper program to use
external_acl_type externaluser ttl=0 children=1 %SRC
/usr/lib/squid/squid_ip_auth/squid_ip_auth

# ACL definition
acl externaluser_acl external externaluser IP_AUTH

# Grant access to whom is validated by the helper
http_access allow externaluser_acl

# Set a new error page for denyied access (usually ERR_ACCESS_DENIED)
deny_info ERR_SQUID_IP_AUTH_ACCESS_DENIED all

Basically the helper uses a fifo to keep track of the IP addresses of
authenticated users, and updates the information each time the user
"hits" the proxy server. That way when the user authenticates the first
time it starts a new session which will have a configurable TTL and is
always accounted from the last proxy hit from that user address.

The pros of such approach are the possibility to use a custom
authentication page, even using https to make the POST of user
credentials (the reason i'm using this for).

The cons are that the access is provided on an ip address basis and not
on a real user basis. Very much like the way that PBS (pop before smtp)
works.

I have made some modifications to Steffen's work so i could use LDAP as
authentication backend, and possibly extend the type of backend to use.

NOTE1: In order to make this usable, you will need to configure the
proxy address (where the form is located) in the bypass address list of
the browser. Either set this manually or using a .pac file.
NOTE2: You will need to run a web server capable of executing the
login.cgi script, which is basically the page where the POST is submitted.

I'm sending my modified version as attachment.

Hope this helps.

Regards,

Hugo Monteiro.

-- 
ci.fct.unl.pt:~# cat .signature
Hugo Monteiro
Email	 : hugo.monteiro@fct.unl.pt
Telefone : +351 212948300 Ext.15307
Centro de Informática
Faculdade de Ciências e Tecnologia da
		   Universidade Nova de Lisboa
Quinta da Torre   2829-516 Caparica   Portugal
Telefone: +351 212948596   Fax: +351 212948548
www.ci.fct.unl.pt	      apoio@fct.unl.pt
ci.fct.unl.pt:~# _

Received on Mon Dec 03 2007 - 09:33:41 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST