Re: authentication mechanism selected based on ip-address

"Joseph Spadavecchia" <jspadavecchia@xxxxxxxxx> · Mon, 23 Feb 2009 14:20:00 +0000

Amos Jeffries wrote:
Joseph Spadavecchia wrote:
Hi all,

We have a requirement to use different authentication mechanisms 
based on the subnet/ip-address of the client.

For example, a client from one subnet would authenticate against ntlm 
while a client from another subnet would authenticate against an LDAP 
server.

AFAIK, this is normally done by running multiple instances of squid; 
but we have the requirement to do it with a single instance.  One way 
of achieving this would be to modify squid to pass the client's 
ip-address along with the authentication information.  However, I'd 
like to do it cleanly without modifying squid.

Can anyone offer suggestions for doing this cleanly, without 
modifications to squid.

Thanks in advance.
Joseph

External ACL taking client IP and Proxy-authentication header contents.
Then doing whatever you like and returning "OK user=XX\n" or "ERR\n"

Amos
Thanks Amos--- your suggestion seems to work.

I created a custom authenticator that always returns "OK" and linked it 
to the external acl.

==== squid.conf ====

auth_param basic program /usr/local/bin/my-auth.pl

external_acl_type myAclType %SRC %LOGIN %{Proxy-Authorization} 
/usr/local/bin/my-acl.pl

acl MyAcl external myAclType

http_access allow MyAcl

* Note myAclType's dependence on %LOGIN is required for triggering 
authentication and, thus, setting %{Proxy-Authorization}.

==== my-auth.pl ====

#!/usr/bin/perl -Wl

$|=1;

while (<>) {
       print "OK";
}

==== my-acl.pl ====

#!/usr/bin/perl -Wl

use URI::Escape;
use MIME::Base64;

$|=1;

while (<>) {
       ($ip,$user,$auth) = split();
       $auth = uri_unescape($auth);
       ($type,$authData) = split(/ /, $auth);
       $authString = decode_base64($authData);
       ($username,$password) = split(/:/, $authString);

       print my_awsome_auth($ip, $username, $password);
}

Thanks.
Joseph

--
Joseph Spadavecchia

t. +44 (0)1506 426 976
f. +44 (0)1506 691 408
e. mailto:jspadavecchia@xxxxxxxxx
w. http://www.bloxx.com/

Awards:
http://www.bloxx.com/corporate/newsreleases_more.php?id=39  |  http://www.bloxx.com/corporate/newsreleases_more.php?id=36 
http://www.bloxx.com/corporate/newsreleases_more.php?id=31  |  http://www.bloxx.com/corporate/newsreleases_more.php?id=33
--------------------------------------------------------------------------
Bloxx Ltd.: Registered in the UK No. SC202264. Geddes House, Kirkton North, Livingston EH54 6GU, UK. 
International Offices: Bloxx Inc. t. +1 781 229 0980 | Bloxx Europe t. +31 (0) 70 320 5009 |  Bloxx Australia t. +61 1800 225 699