Re: [squid-users] external acl code examples

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 29 Feb 2012 12:35:50 +1300

On 29.02.2012 02:50, E.S. Rosenberg wrote:
> 2012/2/28 Amos Jeffries <squid3_at_treenet.co.nz>:
>> On 28/02/2012 9:07 p.m., Erwann Pencreach wrote:
>>>
>>> Hi all,
>>>
>>> here is what I've done in squid.conf :
>>>
>>> external_acl_type loggeduser children=15 %DST %SRC
>>> /etc/squid3/squid.d/loggeduser_acl.sh
>>> acl isok external loggeduser
>>> http_access allow isok
>>>
>>
>> If you add an ID you can use concurrency to reduce process
>> overheads.
>>
>>> and here isloggeduser_acl.sh script :
>>>
>>>
>>> while read dst srchost;
>>
>>
>> while read id dst srchost;
>>>
>>> do
>>>   date=$(date +"%d/%m/%Y %H:%M:%S")
>>>   authuser=$(command to get logged user on client host)
>>>   if [ ! $(echo $authuser | wc -w) -eq 1 ]
>>>     then
>>>       echo "[KO] number of connected user differs from 1 $srchost
>>> $dst"
>>>>>
>>>>> /var/log/squid3/extacl.log
>>>
>>>       echo "ERR"
>>
>> echo "${id} ERR"
>>
>>>     else
>>>       isok=$(the I check my access right)
>>>       if [ $isok ]
>>>         then
>>>           echo "[OK]$date $authuser($accountstatus) $srchost
>>> $dst">>
>>> /var/log/squid3/headers.log
>>>           echo "OK user=$authuser"
>>
>>
>> echo "${id} OK user="${authuser}"
>>>
>>>         else
>>>           echo "[KO]$date $authuser($accountstatus) $srchost
>>>  $dst">>
>>> /var/log/squid3/headers.log
>>>           echo "ERR user=$authuser"
>>
>> echo "${id} ERR user=${authuser}"
>>
>> # NOTE: do you actually have authuser at this point?
>>
>>>         fi
>>>     fi
>>> done
>>> exit 1
>>>
>>>
>>
>> The question that comes to my mind here is what backend you are
>> intending to
>> use this with? what authentication database/system needs you to
>> write a
>> whole new helper?
>>
>>
>> Amos
>
> I don't know about Erwann, but I am creating this to connect between
> squid and cisco wlc, basically a script will update a MySQL db with
> the user currently associated with an IP and then squid will get the
> username based on the IP...
> Since the user already authenticated against the WLC (which in turn
> uses radius/ldap) I don't want to present them with another password
> dialog so when the radius server logs a succesful authentication for
> IP X by user Y the db gets updated with those details...
>
> Thanks for the example...
> Eli

Hmm. Thanks for the push. I have a new session helper which can become
FOSS I suppose. It works with many DB types and takes arbitrary user
Identifier tokens. Similar to the session helper, but uses SQL database
types shared with external management systems.

Will get that to squid-dev shortly, and try to remember to cc' you on
the details.

Amos
Received on Tue Feb 28 2012 - 23:35:56 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 29 2012 - 12:00:06 MST