> Ah, that tutorial is about writing an authentication helper (ie > ncsa_auth). Not an ACL helper. > > The difference being that external_acl_type ACL helpers auth*orize* the > request permission to do something in Squid because it matches an IP > used by some username. > > auth_param helpers auth*enticate* some security username:passtoken > credentials. They do not assign any permissions, just state whether the > credentials are valid/invalid. > > > The script I was suggesting takes only the IP and produces the username > for logging. You need some database, or AD login etc mapping which users > have been assigned which IP. The script uses that source to find the > username in the background and present it to Squid via "OK > user=$username" or "ERR" results. > > > The squid.conf looks something like: > > external_acl_type IPUser %SRC /path/to/script > > auth_param basic program /path/to/ncsa_auth > > # VPN subnet intercepted with NAT > acl ipuser external IPUser > acl vpn_subnet src 192.168.1.0/24 > http_access allow vpn_subnet ipuser > > # regular subnet who can login > acl logIn proxy_auth REQUIRED > acl other_subnet src 192.168.2.0/24 > http_access allow other_subnet logIn > > # strange machines we don't know. > http_access deny all > Right...sorry, can I leave the VPN out for the moment because I'm confusing myself with the setup. So, the current setup uses ncsa_auth. I need to add a secondary authentication mechanism, which checks the external IP address but does not require a username or password. >From what we've said I cannot add 2 mechanisms so I need to pass the auth to a script that can check the IP address. If the IP address does not equal 200.212.34.45 then I need to pass the script a username and password pair, which it can check against the existing ncsa_auth squid_passwd file. Users accesses proxy, if IP=200.212.34.45 OK, else if username:password=squid_passwd file OK, else ERR. Do I even need a script for that or can I simply add acl other_subnet src 200.212.34.45 to the existing conf? Current conf: auth_param basic realm MySquid proxy server auth_param basic credentialsttl 2 hours auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd authenticate_cache_garbage_interval 1 hour authenticate_ip_ttl 2 hours acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 1863 # MSN messenger acl ncsa_users proxy_auth REQUIRED acl maxuser max_user_ip -s 2 acl CONNECT method CONNECT http_access deny manager http_access allow ncsa_users http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access deny maxuser http_access allow localhost http_access deny all icp_access allow all http_port 8080 http_port xx.xxx.xxx.198:80 hierarchy_stoplist cgi-bin ? cache_mem 100 MB maximum_object_size_in_memory 50 KB cache_replacement_policy heap LFUDA cache_dir aufs /var/spool/squid 40000 16 256 #cache_dir null /null maximum_object_size 50 MB cache_swap_low 90 cache_swap_high 95 access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log cache_store_log none buffered_logs on acl QUERY urlpath_regex cgi-bin \? cache deny QUERY refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 quick_abort_min 0 KB quick_abort_max 0 KB acl apache rep_header Server ^Apache broken_vary_encoding allow apache half_closed_clients off visible_hostname MySquidProxyServer log_icp_queries off dns_nameservers 208.67.222.222 208.67.220.220 hosts_file /etc/hosts memory_pools off forwarded_for off client_db off coredump_dir /var/spool/squid delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 125000/125000
