'Re: [squid-users] Alternative to standard Squid authentication schemas'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] Alternative to standard Squid authentication schemas
From:       Alberto Avi <alberto.avi () gmail ! com>
Date:       2006-05-29 19:19:13
Message-ID: 447B4931.9050400 () gmail ! com
[Download RAW message or body]

Hi Chris,

    thank you very much for your suggestions.
I tried them but for my proxy solution is very important have got a user 
session and not a ip session.
In fact I use a content filtery solution which work with user group policy.
For this reason i tried an external_acl_type with ttl=0 to force the 
helper to receive every session authentication for  the client requests:

external_acl_type user-check ttl=0 %SRC /path/to/custom-helper
acl loggedIn external user-check

http_access deny !loggedIn
http_access allow siteIPs
http_access deny all

deny_info http://authentication.my.domain/authenticate.php loggedIn

and this this the source of custom-helper:

#!/bin/bash
log="/usr/local/prod/squid-2.5.STABLE14/var/logs/squid-auth.log"

while read line
do
        echo $line >> $log
        echo OK user=foouser
done

i don't understand why in the access.log some request came without ident 
( - ):

1148930239.227    123 10.182.35.253 TCP_MISS/302 475 GET 
http://www.google.com/ foouser DIRECT/66.249.85.99 text/html
1148930239.624    397 10.182.35.253 TCP_MISS/200 4339 GET 
http://www.google.it/ foouser DIRECT/66.249.85.104 text/html
1148930242.887    134 10.182.35.253 TCP_MISS/200 4339 GET 
http://www.google.it/ - DIRECT/66.249.85.99 text/html
1148930242.936     66 10.182.35.253 TCP_MISS/304 193 GET 
http://www.google.it/intl/it_it/images/logo.gif - DIRECT/66.249.85.104 
text/html

Alberto.


Chris Robertson wrote:
> alberto.avi@gmail.com wrote:
>
>> Hello,
>>
>>    there is a way to authenticate Squid users through an SSL form ?
>>
>> I can't use basic auhtentication schema for security reasons.
>> I can't use NTLM authentication schema because my Windows Domains 
>> aren't trusted togheter.
>> I'd like to use digest authentication schema but the users's password 
>> on my LDAP are encrypted so isn't easy to implement it.
>>
>> Thank you very much for your attention and for your time,
>>
>> Alberto.
>
> The short answer is that Squid, by itself can not perform this task.  
> However, the external_acl_type and deny_info directives along with a 
> webserver, and back end LDAP query should allow you to perform this 
> task.  You will have to store (and lookup) session information outside 
> squid, and this will preclude seeing user names in the access.log.
>
> Here's the basic idea:  You have a eternal ACL helper that takes the 
> client IP and performs a lookup.  If a valid session is found, access 
> is allowed.  If not, access is denied and the deny_info directive 
> refers the browser to a login page (hosted on a webserver) that 
> creates the session data (which can be routinely cleared text files, 
> or a database).  Here's a guideline of the squid.conf portion...
>
> external_acl_type user-check ttl=5 %SRC /path/to/helper
> acl loggedIn external user-check
>
> http_access deny !loggedIn
> http_access allow siteIPs
> http_access deny all
>
> deny_info http://authentication.my.domain/authenticate.php loggedIn
>
> Creating the helper, authentication page and back end are left as 
> exercises for the reader.
>
> Chris
>

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic