On 02/12/10 00:31, Soumadri Roy Chowdhury wrote:
I need to configure Squid as a reverse proxy with a custom
authentication helper for each incoming requests. Every request to
Squid is assumed to be with basic authentication. Any connection which
Don't assume. Be sure.
By only configuring squid with "auth_param basic" other auth types will
be identified as unusable.
fails the authentication, should be terminated. I am a newbie in
Squid. Following is the configuration script I have used. This sample
is to access "mindofaprogrammer.blog.com",
#Squid Configs
acl all src all
acl manager proto cache_object
http_port 80 accel defaultsite=mindofaprogrammer.blog.com
cache_peer mindofaprogrammer.blog.com parent 80 0 no-query
originserver name=myAccel
acl myblog dstdomain mindofaprogrammer.blog.com
http_access allow myblog
cache_peer_access myAccel allow myblog
cache_peer_access myAccel deny all
auth_param basic program C:/wamp/bin/php/php5.3.0/php.exe
"c:/squid/libexec/authhelper.php"
I suggest you don't use PHP. I spent a long while trying to and had to
abandon it due to constant changes in the timeouts of scripts. The gobal
and local overrides provided failed differently in every PHP version to
date.
The result is that helpers die and periodically they *all * die and take
Squid out too.
When the dev drop this automatic script lifetime stupidity for
command-line PHP the language will likely be usable again.
There are bundled DB and file helpers that should be usable for most
custom auth systems.
auth_param basic children 2
auth_param basic realm eReader
auth_param basic credentialsttl 5 hours
acl AuthUsers proxy_auth REQUIRED
http_access allow AuthUsers
access_log c:/squid/var/logs/access.log squid
coredump_dir c:/squid/var/cache
#End Configs
I have written the custom authentication helper in a PHP script. The
listing of the same is as follows,
<?php
$f = fopen("php://stdin", "r");
while ($line = fgets($f)) {
$line = trim($line);
$fields = explode(' ', $line);
$username = rawurldecode($fields[0]); //1738
$password = rawurldecode($fields[1]); //1738
if ($username == 'hello'
and $password == 'world') {
fwrite(STDOUT, "OK\n");
} else if ($username == 'fo'
and $password == 'bar') {
fwrite(STDOUT, "OK\n");
} else {
// failed miserably
fwrite(STDOUT, "ERR\n");
}
}
?>
The problem I am facing is, even after configuring this, only the
reverse proxy settings are working not the authentication. Am I doing
something wrong here?
Sounds like it. Try writing some debug information to STDERR and seeing
what shows up in your cache.log.
NP: since you have your own helper you could/should make it concurrent
and help Squid run a bit faster with it.
ie. I used to do that with:
while($line = fgets($stdin, 8192))
{
$line = trim($line);
if("\$shutdown" == $line) break;
$part = explode(" ",$line);
$id = $part[0]; // ID number
$username = rawurldecode($part[1]); //1738
$password = rawurldecode($part[2]); //1738
...
echo $id ." OK\n";
}
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.9
Beta testers wanted for 3.2.0.3
