Search squid archive

Re: authentication mechanism selected based on ip-address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> Amos Jeffries wrote:
>> Joseph Spadavecchia wrote:
>>> Hi all,
>>>
>>> We have a requirement to use different authentication mechanisms
>>> based on the subnet/ip-address of the client.
>>>
>>> For example, a client from one subnet would authenticate against ntlm
>>> while a client from another subnet would authenticate against an LDAP
>>> server.
>>>
>>> AFAIK, this is normally done by running multiple instances of squid;
>>> but we have the requirement to do it with a single instance.  One way
>>> of achieving this would be to modify squid to pass the client's
>>> ip-address along with the authentication information.  However, I'd
>>> like to do it cleanly without modifying squid.
>>>
>>> Can anyone offer suggestions for doing this cleanly, without
>>> modifications to squid.
>>>
>>> Thanks in advance.
>>> Joseph
>>
>> External ACL taking client IP and Proxy-authentication header contents.
>> Then doing whatever you like and returning "OK user=XX\n" or "ERR\n"
>>
>> Amos
> Thanks Amos--- your suggestion seems to work.
>
> I created a custom authenticator that always returns "OK" and linked it
> to the external acl.
>
> ==== squid.conf ====
>
> auth_param basic program /usr/local/bin/my-auth.pl
>
> external_acl_type myAclType %SRC %LOGIN %{Proxy-Authorization}
> /usr/local/bin/my-acl.pl
>
> acl MyAcl external myAclType
>
> http_access allow MyAcl
>
> * Note myAclType's dependence on %LOGIN is required for triggering
> authentication and, thus, setting %{Proxy-Authorization}.
>
>
> ==== my-auth.pl ====
>
> #!/usr/bin/perl -Wl
>
> $|=1;
>
> while (<>) {
>         print "OK";
> }
>
>
> ==== my-acl.pl ====
>
> #!/usr/bin/perl -Wl
>
> use URI::Escape;
> use MIME::Base64;
>
> $|=1;
>
> while (<>) {
>         ($ip,$user,$auth) = split();
>         $auth = uri_unescape($auth);
>         ($type,$authData) = split(/ /, $auth);
>         $authString = decode_base64($authData);
>         ($username,$password) = split(/:/, $authString);
>
>         print my_awsome_auth($ip, $username, $password);
> }
>
> Thanks.
> Joseph
>

Excellent thank you for this wonderful write-up.
I've added it to the wiki
http://wiki.squid-cache.org/ConfigExamples/Authenticate/MultipleSources

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux