> How they interact is entirely up to you and your configuration.
> The http_access lists are a full-blown boolean programming language with
> hundreds of ACL permutations and paths you can configure.
>
> It is perfectly possible to configure in a way where they don't
> interact, BUT you need to configure that to happen.
> Simply listing a check for NCSA auth then an external ACL check for
> IP auth one after the other will case problems. Checking the client
> subnet earlier on the access line can skip one or other auth test and
> avoid a clash.
> This config separation is possible for the external ACL vs auth_param
> checks. Two auth_param types must combine and do the advert thing.
>
Do I need to do something in PHP/perl to make this work?
eg
auth_param basic program /bin/php your_script_location
How can the script check the ncsa password file? I think cheking the IP address is probably the easier part
The current conf looks like this, so do I have to replace the ncsa auth with a script above that checks the ncsa password file and the IP address?
auth_param basic realm MySquid proxy server
auth_param basic credentialsttl 2 hours
#auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
#replace with
auth_param basic program /bin/php your_script_location
authenticate_cache_garbage_interval 1 hour
authenticate_ip_ttl 2 hours
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1863 # MSN messenger
#acl ncsa_users proxy_auth REQUIRED
#replace with
acl AuthenticatedUsers proxy_auth REQUIRED
acl maxuser max_user_ip -s 2
acl CONNECT method CONNECT
http_access deny manager
#http_access allow ncsa_users
#replace with
http_access allow AuthenticatedUsers
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access deny maxuser
http_access allow localhost
http_access deny all
icp_access allow all
http_port 8080
http_port xx.xxx.xxx.198:80
hierarchy_stoplist cgi-bin ?
cache_mem 100 MB
maximum_object_size_in_memory 50 KB
cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid 40000 16 256
#cache_dir null /null
maximum_object_size 50 MB
cache_swap_low 90
cache_swap_high 95
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log none
buffered_logs on
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
half_closed_clients off
visible_hostname MySquidProxyServer
log_icp_queries off
dns_nameservers 208.67.222.222 208.67.220.220
hosts_file /etc/hosts
memory_pools off
forwarded_for off
client_db off
coredump_dir /var/spool/squid
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 125000/125000
cachemgr_passwd mypswd all
if (typeof(lpcurruser) == 'undefined') lpcurruser = ''; if (document.getElementById('lpcurruserelt') && document.getElementById('lpcurruserelt').value != '') { lpcurruser = document.getElementById('lpcurruserelt').value; document.getElementById('lpcurruserelt').value = ''; } if (typeof(lpcurrpass) == 'undefined') lpcurrpass=''; if (document.getElementById('lpcurrpasselt') && document.getElementById('lpcurrpasselt').value != '') { lpcurrpass = document.getElementById('lpcurrpasselt').value; document.getElementById('lpcurrpasselt').value = ''; } var lploc=1;var lponlyfill=null;var link=document.getElementById("i1668"); if(link&&typeof(g_lpclicked)=="undefined"){if(document.createEventObject){var evt = document.createEventObject();link.fireEvent("onclick",evt);}else{var evt2 = document.createEvent("MouseEvents");evt2.initMouseEvent("click", true, true, document.defaultView, 1, 0, 0, 0, 0, false, false, false, false, 0, null);link.dispatchEvent(evt2);}g_lpclicked=1;}lpcurruser = ''; lpcurrpass = '';if (typeof(lpcurruser) == 'undefined') lpcurruser = ''; if (document.getElementById('lpcurruserelt') && document.getElementById('lpcurruserelt').value != '') { lpcurruser = document.getElementById('lpcurruserelt').value; document.getElementById('lpcurruserelt').value = ''; } if (typeof(lpcurrpass) == 'undefined') lpcurrpass=''; if (document.getElementById('lpcurrpasselt') && document.getElementById('lpcurrpasselt').value != '') { lpcurrpass = document.getElementById('lpcurrpasselt').value; document.getElementById('lpcurrpasselt').value = ''; } var lploc=1;var lponlyfill=null;var link=document.getElementById("i1668"); if(link&&typeof(g_lpclicked)=="undefined"){if(document.createEventObject){var evt = document.createEventObject();link.fireEvent("onclick",evt);}else{var evt2 = document.createEvent("MouseEvents");evt2.initMouseEvent("click", true, true, document.defaultView, 1, 0, 0, 0, 0, false, false, false, false, 0, null);link.dispatchEvent(evt2);}g_lpclicked=1;}lpcurruser = ''; lpcurrpass = '';
