On 14/09/11 20:36, David Rodman wrote:
Hi - I have an application that could really benefit from being able to pass the %MYPORT value to the basic authentication helper. I have it working now by calling my external program twice, once as the external proxy_auth helper, which verifies that there is at least one username/password combination that matches the user's supplied credentials, and then the second one, and acl external class that does receive %MYPORT and completes the authentication by verifying that the login info is valid for the port the user is coming in on. If I could just pass the port number to the proxy_auth external helper, it would cut the processing time for this in half, and make the whole thing a lot cleaner. So - is there any way to do that, or must I modify the source code to accomplish it?
Authentication validity is universal in scope. The validity test result makes no statements about whether access is permitted or denied. An identical request coming from different channel alters the shared valid/invalid state for those credentials across both requests.
Altering the source will mean you have to write a whole new auth module that handles multi-part credential indexing.
external_acl_type is capable of doing almost all of it by itself. Pass it %LOGIN %>{Proxy-Authenticate} %MYPORT (with no proxy_auth ACL at all). Use the "fake" Basic authenticator to get around the small problem of needing an auth module configured. external ACL is indexed by the full set of keys you send to it (credentials+port) so results are not shared and you can safely test multiple parallel requests and allow/block independently without having any security worries.
NP: the header is needed because we don't use or store the passwords in Squid. Your helper will need to decode the header itself to get the users private details.
Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.11
