Guillaume BRAUX wrote:
Hello, I use a HTTP captive portal to authenticate users and gives them access to network resources. It actually store Username/MAC/IP in a database when a user authenticate, and add the needed filtering rules in Iptable/Netfilter (based on IP and MAC) to open usual ports (80, 443 .) for the user. Now, I have added a transparent squid proxy to be able to filter HTTP requests more accurately (url whitelist/blacklist .). But I want to make user/group based squid rules . I know it is not possible to make proxy auth using squid in transparent mode, but my context gives me another way to get the current user, as I got a database with the Username/MAC/IP of all of them . So when I got the MAC or IP address, I can find the username . So resuming : - I have a database (file or SQL .) which store my users. These users can be part of a group of users. - When a packet is reaching the Squid proxy server, I am sure I have in my database a link between the IP/MAC and the username (as all users has to authenticate with the captive portal to be able to go through the NetFilter and reach the Squid proxy). My final goal : - I want to implement rules in SQUID based on a username or a group (like the LDAP auth) ! But how to do this in my context ?! That is the question
Depending on what type of rules you want to implement, you may use ufdbGuard, a Squid redirector. With ufdbGuard you can block/allow groups of users to access lists of URLs. A group can be defined in many ways and one way is to use an ASCII file with IP addresses. ufdbGuard is free. It can also use a commercial URL database. It can be downloaded from www.urlfilterdb.com Marcus
Developing an external auth handler ? A SQUID Extension ? Any ideas ? Thanks for all, Guillaume