Hi, I'm wondering if there's been any progress since 2005 as regards
multiple instances of auth_param basic.
My problem is that I have set up a mechanism for restricting the access
to certain sites when the http client is on a particular network.
No problem with this, it works fine, the algorithm is simple and as follows:
IF accessing subscription_site THEN
IF http client in hall of residence THEN
check authorized user
IF not authorized user THEN
REJECT
ELSE
ACCEPT
ENDIF
ELSE
ACCEPT
ENDIF
ELSE
ACCEPT
ENDIF
To implement it I've used the following directives:
auth_param basic program /usr/local/exploitation/checkAuthorizedUser.pl
auth_param basic realm /blah blah blah/
acl subscription_sites dstdomain .techniques-ingenieur.fr
acl subscription_sites dstdomain .tribunes.com
acl hall_of_residence src 172.26.64.0/255.255.240.0
acl utcauthenticated proxy_auth REQUIRED
http_access allow subscription_sites hall_of_residence utcauthenticated
The requests in question get handled just as I intended. The problem is
with OTHER requests requiring authentication. In particular FTP. If any
user of this squid, anywhere, tries to do non-anonymous FTP without
specifying username and password in the URL, then squid returns a
challenge labelled /blah blah blah/, and invariably rejects the request,
since the FTP username and password to be sent to the remote FTP server
are not recognized by my checkAuthorizedUser.pl script. What I need is
TWO authentication setups : one to handle my very specific
authentication requirement, and the other to handle all the rest.
Anybody see a way around this?
With my thanks,
David L
From: Henrik Nordstrom <hno@xxxxxxxxxxxxxxx>
Date: Thu, 26 May 2005 15:23:10 +0200 (CEST)
On Thu, 5 May 2005, B wrote:
to always have squid be the "master" authenticator, is it possible to
define more than one auth_param basic program, assign them with acl-like
names and use multiple proxy_auth directives with http_access and
url_regex definitions? the aim is, to have one auth_param for every
url_regex match.
Today the login(and password) name must be unique for the whole Squid, no
matter what the user requests. Once logged in you can use proxy_auth etc
to limit what users may access what, but the same login can not have
different passwords depending on what is being requested.
However, MARA Systems is collecting bids for implementing multiple
authentication "realms" within the same Squid allowing different user
databases to be used depending on what is requested where. Implementation
will start when there is sufficient interest.
Regards
Henrik
