Re: [squid-users] Need help for ACL: Authentication web Form + Cookies

From: David Touzeau <david_at_touzeau.eu>
Date: Sat, 14 Apr 2012 09:27:15 +0200

Thanks Amos

That should be very cool ! especially MySQL

Le 14/04/2012 09:11, Amos Jeffries a �crit :
> On 14/04/2012 6:08 a.m., David Touzeau wrote:
>> Dear all
>>
>> I would like to use 2 external helpers in order to use a web
>> authentication form
>>
>> The deal is to use combination of ext_session_acl and my own
>> external helper
>> But i did not know how to create the ACLs
>>
>> I have done 50%
>> ---------------------------------------
>> external_acl_type checkauth concurrency=100 ttl=3 %SRC %URI %>{Host}
>> %>{Cookie} /usr/bin/squid-helper.php
>
> Note that Cookie: headers can get very large. Squid permits up to 64KB
> before stripping them, which has been spotted happening.
>
>
>> external_acl_type AuthenticatedSessions ttl=60 concurrency=100 %SRC
>> /usr/local/sbin/squid/ext_session_acl -t 48000 -b
>> /var/lib/squid/session-web-form.db
>> acl AuthenticatedHelper external checkauth
>> acl Authenticated_users external AuthenticatedSessions
>> deny_info http://10.10.10.10/login.php checkauth
>> http_access deny !AuthenticatedHelper
>>
>> In this model the squid-helper.php checks the cookie sended by the
>> http://10.10.10.10/login.php page.
>> If cookie exists then squid-helper.php answer OK
>> if the request is http://10.10.10.10/login.php the squid-helper.php
>> answer OK in order to allow the authentication web page.
>> if cookie does not exists then squid-helper.php answer ERR and the
>> login.php page is in charge to authenticate the user and create the
>> new cookie
>>
>> The problem with this is when the user try to connect to an other
>> website, the cookie does not exists.
>> The squid-helper.php answer ERR and requests are returned back to the
>> login page.
>>
>> To make this done to 100% i need to force squid to identifiy the user
>> after a squid-helper.php positive answer.
>> I thinking about using the session helper ( "AuthenticatedSessions"
>> acl )
>> If the request pass AuthenticatedHelper acl and if the request is
>> not in the Authenticated_users acl then a session is created and
>> squid process the request.
>> if the request pass AuthenticatedHelper and pass Authenticated_users
>> then squid process the request.
>>
>> Is there a more/proper /simple way ?
>
> There is no proper way. HTTP is stateless messaging. Session is
> stateful transaction stream.
>
> By all means use your helper to collect some data, but store it in a
> database accessible to Squid, not a Cookie.
> The session helper in active mode maintains one such local database.
>
>
>> How to merge the 2 helpers in order to make it work ?
>
> Have your login script create an entry in
> /var/lib/squid/session-web-form.db. You may need to update to a
> session helper which supports the 4.x+ Berkley database format for
> multiple access.
>
> NP: I'm also going to post a different session helper soon to
> squid-dev which can use other database types, and supply credentials
> for Squid logging.
>
> Amos
>
Received on Sat Apr 14 2012 - 07:27:23 MDT

This archive was generated by hypermail 2.2.0 : Sat Apr 14 2012 - 12:00:03 MDT