Re: [squid-users] Alternative to standard Squid authentication schemas

From: Chris Robertson <[email protected]>
Date: Fri, 26 May 2006 10:42:31 -0800

alberto.avi@gmail.com wrote:

> Hello,
>
> there is a way to authenticate Squid users through an SSL form ?
>
> I can't use basic auhtentication schema for security reasons.
> I can't use NTLM authentication schema because my Windows Domains
> aren't trusted togheter.
> I'd like to use digest authentication schema but the users's password
> on my LDAP are encrypted so isn't easy to implement it.
>
> Thank you very much for your attention and for your time,
>
> Alberto.

The short answer is that Squid, by itself can not perform this task.
However, the external_acl_type and deny_info directives along with a
webserver, and back end LDAP query should allow you to perform this
task. You will have to store (and lookup) session information outside
squid, and this will preclude seeing user names in the access.log.

Here's the basic idea: You have a eternal ACL helper that takes the
client IP and performs a lookup. If a valid session is found, access is
allowed. If not, access is denied and the deny_info directive refers
the browser to a login page (hosted on a webserver) that creates the
session data (which can be routinely cleared text files, or a
database). Here's a guideline of the squid.conf portion...

external_acl_type user-check ttl=5 %SRC /path/to/helper
acl loggedIn external user-check

http_access deny !loggedIn
http_access allow siteIPs
http_access deny all

deny_info http://authentication.my.domain/authenticate.php loggedIn

Creating the helper, authentication page and back end are left as
exercises for the reader.

Chris
Received on Fri May 26 2006 - 12:42:42 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Jun 01 2006 - 12:00:02 MDT