Re: [squid-users] Need help for ACL: Authentication web Form + Cookies

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 14 Apr 2012 19:11:30 +1200

On 14/04/2012 6:08 a.m., David Touzeau wrote:
> Dear all
>
> I would like to use 2 external helpers in order to use a web
> authentication form
>
> The deal is to use combination of ext_session_acl and my own external
> helper
> But i did not know how to create the ACLs
>
> I have done 50%
> ---------------------------------------
> external_acl_type checkauth concurrency=100 ttl=3 %SRC %URI %>{Host}
> %>{Cookie} /usr/bin/squid-helper.php

Note that Cookie: headers can get very large. Squid permits up to 64KB
before stripping them, which has been spotted happening.

> external_acl_type AuthenticatedSessions ttl=60 concurrency=100 %SRC
> /usr/local/sbin/squid/ext_session_acl -t 48000 -b
> /var/lib/squid/session-web-form.db
> acl AuthenticatedHelper external checkauth
> acl Authenticated_users external AuthenticatedSessions
> deny_info http://10.10.10.10/login.php checkauth
> http_access deny !AuthenticatedHelper
>
> In this model the squid-helper.php checks the cookie sended by the
> http://10.10.10.10/login.php page.
> If cookie exists then squid-helper.php answer OK
> if the request is http://10.10.10.10/login.php the squid-helper.php
> answer OK in order to allow the authentication web page.
> if cookie does not exists then squid-helper.php answer ERR and the
> login.php page is in charge to authenticate the user and create the
> new cookie
>
> The problem with this is when the user try to connect to an other
> website, the cookie does not exists.
> The squid-helper.php answer ERR and requests are returned back to the
> login page.
>
> To make this done to 100% i need to force squid to identifiy the user
> after a squid-helper.php positive answer.
> I thinking about using the session helper ( "AuthenticatedSessions" acl )
> If the request pass AuthenticatedHelper acl and if the request is not
> in the Authenticated_users acl then a session is created and squid
> process the request.
> if the request pass AuthenticatedHelper and pass Authenticated_users
> then squid process the request.
>
> Is there a more/proper /simple way ?

There is no proper way. HTTP is stateless messaging. Session is stateful
transaction stream.

By all means use your helper to collect some data, but store it in a
database accessible to Squid, not a Cookie.
The session helper in active mode maintains one such local database.

> How to merge the 2 helpers in order to make it work ?

Have your login script create an entry in
/var/lib/squid/session-web-form.db. You may need to update to a session
helper which supports the 4.x+ Berkley database format for multiple access.

NP: I'm also going to post a different session helper soon to squid-dev
which can use other database types, and supply credentials for Squid
logging.

Amos
Received on Sat Apr 14 2012 - 07:11:36 MDT

This archive was generated by hypermail 2.2.0 : Sat Apr 14 2012 - 12:00:03 MDT