Taylor Jones wrote:
Hello, I read the guidelines for this mailing list, and I really do hope I'm not asking a question you've all heard a million times. If I am, feel free to berate me, I probably deserve it. I am looking for a way to use a webpage with a GET/POST form to get the user's name and password for authentication instead of the pop-up that the user receives by default. I realize that this is just an aesthetic kind of thing, but I'm nothing if not obsessive, and I hate that I can't tell a user where he is and what he needs to do to gain access to our proxy server. Honestly, this shouldn't be that hard to implement, I just don't really know where I should start. Any help you guys could give me would be much appreciated!
Hello,I have something similar working, through the use of a small helper written originally by Steffen Dettmer, and available here:
http://sws.dett.de/squid-IP_AUTH.shtmlThat information is a bit old. Though it works and the best part is that the patch the he makes available is no longer required (i'm using 2.6.5 from Debian Etch). You only have to set up the helper program.
That said, i post here my relevant squid configuration lines. # Define the helper program to useexternal_acl_type externaluser ttl=0 children=1 %SRC /usr/lib/squid/squid_ip_auth/squid_ip_auth
# ACL definition acl externaluser_acl external externaluser IP_AUTH # Grant access to whom is validated by the helper http_access allow externaluser_acl # Set a new error page for denyied access (usually ERR_ACCESS_DENIED) deny_info ERR_SQUID_IP_AUTH_ACCESS_DENIED allBasically the helper uses a fifo to keep track of the IP addresses of authenticated users, and updates the information each time the user "hits" the proxy server. That way when the user authenticates the first time it starts a new session which will have a configurable TTL and is always accounted from the last proxy hit from that user address.
The pros of such approach are the possibility to use a custom authentication page, even using https to make the POST of user credentials (the reason i'm using this for).
The cons are that the access is provided on an ip address basis and not on a real user basis. Very much like the way that PBS (pop before smtp) works.
I have made some modifications to Steffen's work so i could use LDAP as authentication backend, and possibly extend the type of backend to use.
NOTE1: In order to make this usable, you will need to configure the proxy address (where the form is located) in the bypass address list of the browser. Either set this manually or using a .pac file. NOTE2: You will need to run a web server capable of executing the login.cgi script, which is basically the page where the POST is submitted.
I'm sending my modified version as attachment. Hope this helps. Regards, Hugo Monteiro. -- ci.fct.unl.pt:~# cat .signature Hugo Monteiro Email : hugo.monteiro@xxxxxxxxxx Telefone : +351 212948300 Ext.15307 Centro de Informática Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa Quinta da Torre 2829-516 Caparica Portugal Telefone: +351 212948596 Fax: +351 212948548 www.ci.fct.unl.pt apoio@xxxxxxxxxx ci.fct.unl.pt:~# _
Attachment:
squid-ip-auth.tgz
Description: application/compressed-tar
