Hi Chris,
thank you very much for your suggestions.
I tried them but for my proxy solution is very important have got a user
session and not a ip session.
In fact I use a content filtery solution which work with user group policy.
For this reason i tried an external_acl_type with ttl=0 to force the
helper to receive every session authentication for the client requests:
external_acl_type user-check ttl=0 %SRC /path/to/custom-helper
acl loggedIn external user-check
http_access deny !loggedIn
http_access allow siteIPs
http_access deny all
deny_info http://authentication.my.domain/authenticate.php loggedIn
and this this the source of custom-helper:
#!/bin/bash
log="/usr/local/prod/squid-2.5.STABLE14/var/logs/squid-auth.log"
while read line
do
echo $line >> $log
echo OK user=foouser
done
i don't understand why in the access.log some request came without ident
( - ):
1148930239.227 123 10.182.35.253 TCP_MISS/302 475 GET
http://www.google.com/ foouser DIRECT/66.249.85.99 text/html
1148930239.624 397 10.182.35.253 TCP_MISS/200 4339 GET
http://www.google.it/ foouser DIRECT/66.249.85.104 text/html
1148930242.887 134 10.182.35.253 TCP_MISS/200 4339 GET
http://www.google.it/ - DIRECT/66.249.85.99 text/html
1148930242.936 66 10.182.35.253 TCP_MISS/304 193 GET
http://www.google.it/intl/it_it/images/logo.gif - DIRECT/66.249.85.104
text/html
Alberto.
Chris Robertson wrote:
alberto.avi@xxxxxxxxx wrote:
Hello,
there is a way to authenticate Squid users through an SSL form ?
I can't use basic auhtentication schema for security reasons.
I can't use NTLM authentication schema because my Windows Domains
aren't trusted togheter.
I'd like to use digest authentication schema but the users's password
on my LDAP are encrypted so isn't easy to implement it.
Thank you very much for your attention and for your time,
Alberto.
The short answer is that Squid, by itself can not perform this task.
However, the external_acl_type and deny_info directives along with a
webserver, and back end LDAP query should allow you to perform this
task. You will have to store (and lookup) session information outside
squid, and this will preclude seeing user names in the access.log.
Here's the basic idea: You have a eternal ACL helper that takes the
client IP and performs a lookup. If a valid session is found, access
is allowed. If not, access is denied and the deny_info directive
refers the browser to a login page (hosted on a webserver) that
creates the session data (which can be routinely cleared text files,
or a database). Here's a guideline of the squid.conf portion...
external_acl_type user-check ttl=5 %SRC /path/to/helper
acl loggedIn external user-check
http_access deny !loggedIn
http_access allow siteIPs
http_access deny all
deny_info http://authentication.my.domain/authenticate.php loggedIn
Creating the helper, authentication page and back end are left as
exercises for the reader.
Chris
