Search squid archive

Re: %login in ACL without autentication configured

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 25/11/2011 2:14 a.m., Luis Enrique Sanchez Arce wrote:
Hi Amos and thanks for your response,

I have a database of users that can be both users IP (192.168.1.0/24) as standard (juan manuel, owners, etc).
Besides, I have for those users a set of rules that regulate their navigation.

The following configuration for redir_program works ok for me.

---------------------------------------------------------------------------
auth_param basic program myauthdb
auth_param basic children 10
auth_param basic realm Test
auth_param basic credentialsttl 2 hours
acl pass proxy_auth REQUIRED

external_acl_type notauth children=10 ttl=0 %SRC notauth
acl bypass_auth external notauth

redirect_program redirector.pl
redirect_rewrites_host_header on
redirect_children 70

acl Restrictivo src 10.0.0.0/8

http_access allow bypass_auth
http_access allow Restrictivo pass
-----------------------------------------------------------------------------

The program notauth takes the parameter %SRC internally and verify if user IP exists in the system. To be positive
returns OK and ignore authentication. In that case the redirect_program receives the authenticated user "-" and internally
takes the user such as IP.

What I want to do is this the same but with external acl. The fallowing configuration don´t work for me.

-----------------------------------------------------------------------------
auth_param basic program myauthdb
auth_param basic children 10
auth_param basic realm Test
auth_param basic credentialsttl 2 hours
acl pass proxy_auth REQUIRED

external_acl_type notauth children=10 ttl=0 %SRC notauth
acl bypass_auth external notauth

external_acl_type redirprogram children=30 concurrency=10 ttl=300 %URI %SRC %LOGIN %METHOD redirector.pl

Hmm, for starters you definitely need to change what the redirector.pl script does in order to work in this other interface of Squid. The input and output are very different.

acl redir external redirprogram

http_access allow bypass_auth redir

The problem is %LOGIN used by "redirprogram" requires auth credentials to be known. Squid will perform auth in order to get them.

In order to to get login credentials without requiring that they exist send %>{Proxy-Authorization} to the helper instead (requires Squid-3.1 or later). It will need to process and decode the header content itself. (There are some proposals for a tag to do get an optional username but only incomplete feature patches submitted so far).

http_access allow pass redir
http_access allow redir

I think you are wanting three different ACLs instead of "redir". ..
* On the "bypass_auth" line the %EXT_USER is needed to pass the user= value to the helper. * On the "pass" line the %LOGIN is needed to send the authenticated username to the helper.

I'm a little confused why you would want to "allow redir" by itself. It has no use other than to override the previous decisions not to allow.


# And finally deny all other access to this proxy
http_access deny all
deny_info ERR_FILTER_DENIED redir all

deny_info takes the name of a *single* ACL to bind to. Only when that ACL is the last ACL name on an access deny line will the deny_info object be sent.

In this setup that means:
  deny_info ERR_FILTER_DENIED all

-----------------------------------------------------------------------------

I added the acl notauth return OK user=IP, the idea is that the acl redir assume %LOGIN as the IP. It does't works for me.

%LOGIN is the authenticated credentials. user= is just a value passed back for you to play with. It has no authentication meaning to Squid. It is about authorization instead.

Also, when using the redirector in external_acl_type, setting the username field to an IP in order to send it in the second helper format is a complex way to do something meaningless. The simpler way to do it would be to just configure the second helper format as: external_acl_type redirprogram children=30 concurrency=10 ttl=300 %URI %SRC %SRC %METHOD redirector.pl

Although, if you pay attention to that line you will see that the IP is already sent to the script. So why go to such complex bother?



The operation is required to be with an external acl to write in the log with the label %ea.
The acl redirect_program does not support sending something to the log.

I hope you understand what I want to do, and if exist a way to do it?.

A completely alternative setup you should consider:

* combine the notauth script and redirector.pl script actions into one which performs everything needed on that allow line. Including sending the info back for logging.

* create a new script based on just the redirector.pl script to do the actions after authentication. This is the one on the line after "pass" ACL and can depend on %LOGIN.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux