Re: [squid-users] Alternative to standard Squid authentication schemas

From: Alberto Avi <[email protected]>
Date: Mon, 29 May 2006 21:19:13 +0200

Hi Chris,

    thank you very much for your suggestions.
I tried them but for my proxy solution is very important have got a user
session and not a ip session.
In fact I use a content filtery solution which work with user group policy.
For this reason i tried an external_acl_type with ttl=0 to force the
helper to receive every session authentication for the client requests:

external_acl_type user-check ttl=0 %SRC /path/to/custom-helper
acl loggedIn external user-check

http_access deny !loggedIn
http_access allow siteIPs
http_access deny all

deny_info http://authentication.my.domain/authenticate.php loggedIn

and this this the source of custom-helper:

#!/bin/bash
log="/usr/local/prod/squid-2.5.STABLE14/var/logs/squid-auth.log"

while read line
do
        echo $line >> $log
        echo OK user=foouser
done

i don't understand why in the access.log some request came without ident
( - ):

1148930239.227 123 10.182.35.253 TCP_MISS/302 475 GET
http://www.google.com/ foouser DIRECT/66.249.85.99 text/html
1148930239.624 397 10.182.35.253 TCP_MISS/200 4339 GET
http://www.google.it/ foouser DIRECT/66.249.85.104 text/html
1148930242.887 134 10.182.35.253 TCP_MISS/200 4339 GET
http://www.google.it/ - DIRECT/66.249.85.99 text/html
1148930242.936 66 10.182.35.253 TCP_MISS/304 193 GET
http://www.google.it/intl/it_it/images/logo.gif - DIRECT/66.249.85.104
text/html

Alberto.

Chris Robertson wrote:
> alberto.avi@gmail.com wrote:
>
>> Hello,
>>
>> there is a way to authenticate Squid users through an SSL form ?
>>
>> I can't use basic auhtentication schema for security reasons.
>> I can't use NTLM authentication schema because my Windows Domains
>> aren't trusted togheter.
>> I'd like to use digest authentication schema but the users's password
>> on my LDAP are encrypted so isn't easy to implement it.
>>
>> Thank you very much for your attention and for your time,
>>
>> Alberto.
>
> The short answer is that Squid, by itself can not perform this task.
> However, the external_acl_type and deny_info directives along with a
> webserver, and back end LDAP query should allow you to perform this
> task. You will have to store (and lookup) session information outside
> squid, and this will preclude seeing user names in the access.log.
>
> Here's the basic idea: You have a eternal ACL helper that takes the
> client IP and performs a lookup. If a valid session is found, access
> is allowed. If not, access is denied and the deny_info directive
> refers the browser to a login page (hosted on a webserver) that
> creates the session data (which can be routinely cleared text files,
> or a database). Here's a guideline of the squid.conf portion...
>
> external_acl_type user-check ttl=5 %SRC /path/to/helper
> acl loggedIn external user-check
>
> http_access deny !loggedIn
> http_access allow siteIPs
> http_access deny all
>
> deny_info http://authentication.my.domain/authenticate.php loggedIn
>
> Creating the helper, authentication page and back end are left as
> exercises for the reader.
>
> Chris
>
Received on Mon May 29 2006 - 13:19:21 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Jun 01 2006 - 12:00:02 MDT