Re: [squid-users] Problem with proxy auth PXY2

From: Henrik Nordstrom <[email protected]>
Date: Thu, 27 Feb 2003 19:35:43 +0100

Header in %{Header} needs to be the name of the HTTP header you want
to have sent to the helper. In this case Proxy-Authorization, i.e.
%{Proxy-Authorization}

But as I said in my previous resonse sent about 1 week ago to you this
is not really needed. The auth logics of Squid as is is sufficient
for identifying users who have not yet logged in to their browsers.

What you absolutely need is the ability to have deny_info redirect to
another URL. This is provided in the Squid-3 development versions but
is also available as a patch to Squid-2.5 from
http://devel.squid-cache.org/

The trick is to make sure all requests without correct user
credentials are redirected to the policy page, except for the request
where the user confirms the policy where the normal authentication
required response is instead allowed to be returned, and when the
user has logged in he is redirected back to the URL he originally
requested. The credentials cache in the browser then takes care to
maintain the user session for us and makes sure the user successful
user credentials are attached to each following message, ensuring
that authentication will be successful and deny_info won't trigger
again..

You cannot do this with redirectors in the manner described. You MUST
use the new deny_info capability to redirect the user instead of
sending access denied (including authentication required). And it can
only be made to work with plain old Basic HTTP authentication.

To do a scheme like this in a fully proper manner Squid needs to be
extended with some kind of session concept, keyed by either username
or client IP address. To do so will involve a bit of C coding inside
Squid.

Regards
Henrik

On Thursday 27 February 2003 18.39, David O'Sullivan wrote:
> Thanks for your input Henrik, much appreciated.
>
> Could you give me some more info on external acl types.
>
> You wrote previously :-
> "external_acl_type can be used to filter out requests without proxy
> authentication, or a extension acl can be written within Squid to
> do the same. deny_info url capability of Squid-3 (also available as
> a patch to Squid-2.5) can then be used to redirect the request to
> the policy page.
>
> The same scheme can also be used to IP based session timers, having
> an external_acl_type acting as a filter on which requests may need
> to be sent to the policy page, and the cookie as the definite
> filter on which users have accepted the policy or not."
>
> Can you give me some more pointers, does the definition of the
> external acl type, (which from the conf file) seems to imply that
> the HTTP Header {%Header} can be passed to the external helper,
> would this contain an empty userid/password pair (with NONE in)
> which the external program/script could detect and pass ERR back. I
> have written a tiny script which just outputs the received
> parameters, unfortunately the script receives nothing.
>
> I am new to all of this could you supply an example definition.
>
> What I currently have is:-
>
> external_acl_type authfilter %{Header} /usr/local/squid/etc/filter
> acl filter external authfilter %{Header}
> http_access deny filter
> deny_info ERR_POLICY_PAGE filter
>
> Does Header not get instantiated by squid, what does , how do I
> pass it out. I am using a script because I don't know C (do I need
> C?)
>
> Your help would again be greatfully received.
>
> Cheers Dave O
>
> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> Sent: 27 February 2003 14:08
> To: David O'Sullivan
> Cc: 'squid-users@squid-cache.org'
> Subject: Re: [squid-users] Problem with proxy auth PXY2
>
> tor 2003-02-27 klockan 11.16 skrev David O'Sullivan:
> > THE PROBLEM
> > With the 2.5STABLE1 the redirector is not called at all and the
> > following message appears in the cache.log
> >
> > 2003/02/27 09:30:54| authenticateAuthenticate: no connection
> > data, cannot proces authentication
>
> See the Squid-2.5.STABLE1 release notes.
>
> See also http://www.squid-cache.org/Versions/v2/2.5/bugs/
>
> Regards
> Henrik
Received on Thu Feb 27 2003 - 11:34:26 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:45 MST