AW: [squid-users] Problem with authentication needed for squidguard and squid 3.2.1

From: Stolle, Martin <Martin.Stolle_at_ekom21.de>
Date: Mon, 3 Sep 2012 13:28:53 +0200

I got the idea to modify my squid-guard wrapper in that way that it returns a OK and the username logged in as OK log=username, this means, that I have to change the logic, so that squidGuard is used from a main wrapper process, which knows the name of the user, so that it can return it. In that case I could use the "ea" tag in the access log format to write the user logged in to the access log.

This way isn't very elegant, but it should work.

Squid passes login to --> Wrapper --> asks squidGuard --> if return line of squidGuard is empty, return OK + "log:username" else return ERR

Ok,
I'll try to write that small wrapper, but it would be nice, if there would be an easier way to do so.

Greetings,

Martin
-----Urspr�ngliche Nachricht-----
Von: Stolle, Martin
Gesendet: Montag, 3. September 2012 12:57
An: squid-users_at_squid-cache.org
Betreff: WG: [squid-users] Problem with authentication needed for squidguard and squid 3.2.1

Hello Amos,

thanks for your help, with your help i could solve the problem with the authentication and squidguard.

For everyone else:

I had to write a simple wrapper from external_acl to rewrite, because squidguard uses the rewrite interface (URL return instead of OK/ERR return):

(/usr/local/sbin/sqguard-wrapper)

#!/bin/bash
while read LINE ; do
  echo "$LINE"
done | gawk '{
   printf("%s %s/none %s - %s\n",$1,$2,$3,$4);
   fflush(STDOUT)
}' | /usr/sbin/squidGuard | gawk '{
  if($0 != "") printf("ERR\n",$0)
  else printf("OK\n",$0);
  fflush(STDOUT);
}';

Excerpt of squid.conf:

...
auth_param basic program /usr/sbin/basic_ncsa_auth /etc/squid/passwd auth_param basic children 20 startup=1 idle=1 auth_param basic realm Proxy-Authentication auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl mylogin proxy_auth REQUIRED external_acl_type sqgrd children-max=30 children-startup=10 children-idle=5 concurrency=0 %URI %SRC %LOGIN %METHOD /usr/local/sbin/sqguard-wrapper acl sqguardok external sqgrd acl myloginserver url_regex ^http://myloginserver/gruen http_access allow myloginserver mylogin http_access deny myloginserver http_access deny !sqguardok http_access allow all

But I got still the other problem:

In the access.log the username from the user having authenticated isn't logged. Is there any trick to get the username of the person logged-in logged, even if squid believes, it could show the page without authentication?

Greetings in advance,

Martin

-----Urspr�ngliche Nachricht-----
Von: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Gesendet: Montag, 3. September 2012 10:14
An: squid-users_at_squid-cache.org
Betreff: Re: [squid-users] Problem with authentication needed for squidguard and squid 3.2.1

On 3/09/2012 7:01 p.m., Stolle, Martin wrote:
> Hello,
>
> I got a problem with the cooperation of squidguard 1.4 and squid 3.2.1
>
> My test scenario consists of
>
> Squidguard 1.4
> Squid 3.2.1
> Basic Authentication (in that case of test)
>
>
> I want to allow URLs not blocked by lists from squidguard to all users.
>
> If a website is blocked from a squidguard list and a user isn't authenticated, squidguard shall and will redirect the request to a blocking site, which links to a site, where somebody can authenticate itself.
>
> If someone is authenticated that way, he is associated with an user account and should have access to all web sites.
>
> Unfortunately, I got the problem, that, also a user is authenticated, squid transfers the user information only under the condition, that from the point of view of squid the authentication is necessary, to squidguard, also the user authenticated before. If Squid recognizes, that from the point of view of squid authentication is not necessary (i.e. there was e.g. a http_access allow all on the way), it does not transfer authentication information to the url rewriter, here squidguard, and does also not log that information.
> But squidguard needs that information in that case to allow the user access to that web site and don't redirect the request to the blocking site.
>
> Is there an option to transfer authentication information in any case - where it is available, i.e. the user has already authenticated - to the rewriter and also to log it?

URL rewriter interface is NOT the correct place to be performing authentication or authorization.

Use external_acl_type helper interface instead, design your input format % codes to match the fields squidguard needs. That interface will do proxy credentials location for %LOGIN, including authentication if required. Use deny_info to do the page redirection.

Amos
Received on Mon Sep 03 2012 - 11:29:02 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 04 2012 - 12:00:02 MDT