[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-dev
Subject:    Forward Authenticated User
From:       Robert Marcano <robert () marcanoonline ! com>
Date:       2010-04-29 20:11:20
Message-ID: 4BD9EAB8.8010603 () marcanoonline ! com
[Download RAW message or body]

I am attaching a patch for 3.0.x versions (I will forward port if there 
is interest and change recommendations). This patch adds a new option to 
Squid that allows it to forward the current authenticated user to the 
next proxy (or the HTTP server if that is what is wanted) via an HTTP 
header.

The need for this option is originated by the usage of Kerberos 
authentication on our installations and the usage of an external content 
filter proxy (Dansguardian). By nature the Kerberos authentication 
header sent by the browser to proxy is heavily encrypted and is designed 
to be data to only be understood by the browser and the Squid proxy that 
is doing the authentication. Basic installations of Dansguardian (oand 
my other non ICAP content filters) is to chain Dansguardian before 
Squid. The problem with this setup is that Dansguardian needs to know 
the user before the request is sent to Squid to do checks before the 
request is sent to Squid (for example, denying it filtering by URL). 
Dansguardian is able to works in this configuration for other auth 
methods like basic, and NTLM, because it is able to extract the user 
from the respective auth headers, something it can not do from the 
Kerberos encrypted header.

The solution to this problem is to switch the positions of Squid and 
Dansguardian in the chain, forward from Squid the authenticated user to 
Dansguardian (disabling caching on Squid in order to not cache 
Dansguardian generated responses). If caching is needed a second Squid 
could be added after Dansguardian

Browser -> Squid (no caching) -> Dansguardian -> Squid (optional) -> 
Internet

Dansguardian is patched too in order to add an authentication plugin 
able to understand the forwarded authenticated user. Currently my 
Dansguardian patch is not able to remove the header from the request, 
something that must be done for privacy reasons when not using the 
second optional Squid (if authenticated user forwarding is not enabled 
on it the header is removed)

I think ICAP could be the ideal solution for this problem, when Squid is 
able to call ICAP services at postcache stages.

TODO: the user is forwarded, Dansguardian uses it, but the other Squids 
on the chain are not able to use acls using that user, for them the 
request is unauthenticated, it is interesting to add the capability to 
use that user on that other Squid instances for example to be able to 
use different tcp_outgoing_address using auth based acls

This solution has been working for near month on a production site with 
more than 100 simultaneous users without problems to the present day

Note: thanks to rousskov ant squiddev IRC channel for the help and 
recommendations

["squid-3.0.STABLE24-forward-auth.patch" (text/plain)]

diff -Naur squid-3.0.STABLE24.original/src/cf.data.pre squid-3.0.STABLE24/src/cf.data.pre
--- squid-3.0.STABLE24.original/src/cf.data.pre	2010-02-12 09:23:17.000000000 -0430
+++ squid-3.0.STABLE24/src/cf.data.pre	2010-03-17 09:09:05.345201659 -0430
@@ -62,6 +62,17 @@
   configuration files.
 COMMENT_END
 
+NAME: forward_authenticated_user
+COMMENT: on|off
+TYPE: onoff
+DEFAULT: off
+LOC: opt_forward_authenticated_user
+DOC_START
+	If set, Squid will include the authenticated user on every HTTP request
+	on the header X-Authenticated-User
+DOC_END
+
+
 COMMENT_START
  OPTIONS FOR AUTHENTICATION
  -----------------------------------------------------------------------------
diff -Naur squid-3.0.STABLE24.original/src/globals.h squid-3.0.STABLE24/src/globals.h
--- squid-3.0.STABLE24.original/src/globals.h	2010-02-12 09:23:18.000000000 -0430
+++ squid-3.0.STABLE24/src/globals.h	2010-03-17 09:11:07.784077767 -0430
@@ -87,6 +87,7 @@
     extern int opt_dns_tests;	/* 1 */
     extern int opt_foreground_rebuild;	/* 0 */
     extern int opt_forwarded_for;	/* 1 */
+    extern int opt_forward_authenticated_user;    /* 0 */
     extern int opt_reload_hit_only;	/* 0 */
 #if HAVE_SYSLOG
 
diff -Naur squid-3.0.STABLE24.original/src/http.cc squid-3.0.STABLE24/src/http.cc
--- squid-3.0.STABLE24.original/src/http.cc	2010-02-12 09:23:18.000000000 -0430
+++ squid-3.0.STABLE24/src/http.cc	2010-03-17 09:46:30.523077910 -0430
@@ -1416,6 +1416,16 @@
 
     strFwd.clean();
 
+    /* append X-Authenticated-User if allowed to forward and not already added */
+    if (opt_forward_authenticated_user && !hdr_out->has(HDR_X_AUTHENTICATED_USER)
+        && orig_request->auth_user_request != NULL) {
+        hdr_out->putStr(HDR_X_AUTHENTICATED_USER, orig_request->auth_user_request->username());
+    }
+    /* remove X-Authenticated-User if not allowed to forward */
+    if (!opt_forward_authenticated_user && hdr_out->has(HDR_X_AUTHENTICATED_USER)) {
+        hdr_out->delById(HDR_X_AUTHENTICATED_USER);
+    }
+
     /* append Host if not there already */
     if (!hdr_out->has(HDR_HOST)) {
         if (orig_request->peer_domain) {
diff -Naur squid-3.0.STABLE24.original/src/HttpHeader.cc squid-3.0.STABLE24/src/HttpHeader.cc
--- squid-3.0.STABLE24.original/src/HttpHeader.cc	2010-02-12 09:23:15.000000000 -0430
+++ squid-3.0.STABLE24/src/HttpHeader.cc	2010-03-16 10:51:46.404156357 -0430
@@ -138,6 +138,7 @@
         {"X-Forwarded-For", HDR_X_FORWARDED_FOR, ftStr},
         {"X-Request-URI", HDR_X_REQUEST_URI, ftStr},
         {"X-Squid-Error", HDR_X_SQUID_ERROR, ftStr},
+        {"X-Authenticated-User", HDR_X_AUTHENTICATED_USER, ftStr},
         {"Negotiate", HDR_NEGOTIATE, ftStr},
 #if X_ACCELERATOR_VARY
         {"X-Accelerator-Vary", HDR_X_ACCELERATOR_VARY, ftStr},
diff -Naur squid-3.0.STABLE24.original/src/HttpHeader.h squid-3.0.STABLE24/src/HttpHeader.h
--- squid-3.0.STABLE24.original/src/HttpHeader.h	2010-02-12 09:23:15.000000000 -0430
+++ squid-3.0.STABLE24/src/HttpHeader.h	2010-03-16 10:51:18.014156130 -0430
@@ -112,6 +112,7 @@
     HDR_X_FORWARDED_FOR,
     HDR_X_REQUEST_URI,		/* appended if ADD_X_REQUEST_URI is #defined */
     HDR_X_SQUID_ERROR,
+    HDR_X_AUTHENTICATED_USER,
     HDR_NEGOTIATE,
 #if X_ACCELERATOR_VARY
     HDR_X_ACCELERATOR_VARY,


[prev in list] [next in list] [prev in thread] [next in thread]