On 25/11/2011 2:14 a.m., Luis Enrique Sanchez Arce wrote:
Hi Amos and thanks for your response,
I have a database of users that can be both users IP (192.168.1.0/24) as standard (juan manuel, owners, etc).
Besides, I have for those users a set of rules that regulate their navigation.
The following configuration for redir_program works ok for me.
---------------------------------------------------------------------------
auth_param basic program myauthdb
auth_param basic children 10
auth_param basic realm Test
auth_param basic credentialsttl 2 hours
acl pass proxy_auth REQUIRED
external_acl_type notauth children=10 ttl=0 %SRC notauth
acl bypass_auth external notauth
redirect_program redirector.pl
redirect_rewrites_host_header on
redirect_children 70
acl Restrictivo src 10.0.0.0/8
http_access allow bypass_auth
http_access allow Restrictivo pass
-----------------------------------------------------------------------------
The program notauth takes the parameter %SRC internally and verify if user IP exists in the system. To be positive
returns OK and ignore authentication. In that case the redirect_program receives the authenticated user "-" and internally
takes the user such as IP.
What I want to do is this the same but with external acl. The fallowing configuration don´t work for me.
-----------------------------------------------------------------------------
auth_param basic program myauthdb
auth_param basic children 10
auth_param basic realm Test
auth_param basic credentialsttl 2 hours
acl pass proxy_auth REQUIRED
external_acl_type notauth children=10 ttl=0 %SRC notauth
acl bypass_auth external notauth
external_acl_type redirprogram children=30 concurrency=10 ttl=300 %URI %SRC %LOGIN %METHOD redirector.pl
Hmm, for starters you definitely need to change what the redirector.pl
script does in order to work in this other interface of Squid. The input
and output are very different.
acl redir external redirprogram
http_access allow bypass_auth redir
The problem is %LOGIN used by "redirprogram" requires auth credentials
to be known. Squid will perform auth in order to get them.
In order to to get login credentials without requiring that they exist
send %>{Proxy-Authorization} to the helper instead (requires Squid-3.1
or later). It will need to process and decode the header content itself.
(There are some proposals for a tag to do get an optional username but
only incomplete feature patches submitted so far).
http_access allow pass redir
http_access allow redir
I think you are wanting three different ACLs instead of "redir". ..
* On the "bypass_auth" line the %EXT_USER is needed to pass the user=
value to the helper.
* On the "pass" line the %LOGIN is needed to send the authenticated
username to the helper.
I'm a little confused why you would want to "allow redir" by itself. It
has no use other than to override the previous decisions not to allow.
# And finally deny all other access to this proxy
http_access deny all
deny_info ERR_FILTER_DENIED redir all
deny_info takes the name of a *single* ACL to bind to. Only when that
ACL is the last ACL name on an access deny line will the deny_info
object be sent.
In this setup that means:
deny_info ERR_FILTER_DENIED all
-----------------------------------------------------------------------------
I added the acl notauth return OK user=IP, the idea is that the acl redir assume %LOGIN as the IP. It does't works for me.
%LOGIN is the authenticated credentials. user= is just a value passed
back for you to play with. It has no authentication meaning to Squid. It
is about authorization instead.
Also, when using the redirector in external_acl_type, setting the
username field to an IP in order to send it in the second helper format
is a complex way to do something meaningless.
The simpler way to do it would be to just configure the second helper
format as:
external_acl_type redirprogram children=30 concurrency=10 ttl=300
%URI %SRC %SRC %METHOD redirector.pl
Although, if you pay attention to that line you will see that the IP is
already sent to the script. So why go to such complex bother?
The operation is required to be with an external acl to write in the log with the label %ea.
The acl redirect_program does not support sending something to the log.
I hope you understand what I want to do, and if exist a way to do it?.
A completely alternative setup you should consider:
* combine the notauth script and redirector.pl script actions into one
which performs everything needed on that allow line. Including sending
the info back for logging.
* create a new script based on just the redirector.pl script to do the
actions after authentication. This is the one on the line after "pass"
ACL and can depend on %LOGIN.
Amos
