On 29/04/11 10:27, Rafal Zawierta wrote:
Hi again :)
I try to redirect denied users (by my own external acl helper) to my
custom page.
I use kerb_auth so I pass to my helper variable %LOGIN
external_acl_type testacl %LOGIN /tmp/login.sh (login.sh will return
OK or Err - it works).
Now - in case of 'Err' i have to redirect my client to web page with message:
Hello %LOGIN. You are denied.
(In fact page will be in php with connection to sql, but idea is the same).
Now - when I try to use some variables from squid doc i get:
deny_info http://proxy.domain.local/index.php?login=%a test1
but in URL in browser I have "index.php?login=0x0.000000110cb68p-1022"
- so, it is not my login.
Is it possible to pass login the same way as it is passed to external
acl helper?
You require 3.2 series to pass % tokens to deny_info.
It uses the same token set as the error template pages do.
And - also important - is it possible to use POST method insteat GET
with deny_info.
No guarantees. That is up to the browser.
Squid 3.1+ will send a 307 status code to tell the browser that a new
location is required, with no change in the request method or details
posted. After asking the user if it is okay they should retry the new
location. So far Firefox is the only browser to support this part of
HTTP/1.1. The others all wrongly treat it the same as a 302 (sending a
GET as the followup).
There are many of us using 307 anyway where it is needed and hoping
that the browsers will get fixed soon. Please join the campaign :)
Or maybe (it will simplify all) - is it some method to get %LOGIN from
headers sent by browser (as it was said before - I use
squid_kerb_auth). In such case I don't need to pass anything special
with deny_info.
Yes that is the better way to do all this. You wont be passing username
un-encrypted.
Just generate the error page using a background auth check in the page
script to lookup the username from the Proxy-Authentication header
received. You could even use squid_kerb_auth to do the sub-check, all it
does for Squid is take a copy of the header line and pass back the
username on success and error message fail.
This may help:
http://wiki.squid-cache.org/Features/AddonHelpers#Negotiate_and_NTLM_Scheme
"KK $header_content" is what squid_kerb_auth accepts,
"AF $username" is the success reply,
"BH $message" is the failure reply.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.7 and 3.1.12.1
