Search squid archive

Re: Need help for ACL: Authentication web Form + Cookies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 14/04/2012 6:08 a.m., David Touzeau wrote:
Dear all

I would like to use 2 external helpers in order to use a web authentication form

The deal is to use combination of ext_session_acl and my own external helper
But i did not know how to create the ACLs

I have done 50%
---------------------------------------
external_acl_type checkauth concurrency=100 ttl=3 %SRC %URI %>{Host} %>{Cookie} /usr/bin/squid-helper.php

Note that Cookie: headers can get very large. Squid permits up to 64KB before stripping them, which has been spotted happening.


external_acl_type AuthenticatedSessions ttl=60 concurrency=100 %SRC /usr/local/sbin/squid/ext_session_acl -t 48000 -b /var/lib/squid/session-web-form.db
acl AuthenticatedHelper external checkauth
acl Authenticated_users external AuthenticatedSessions
deny_info http://10.10.10.10/login.php checkauth
http_access deny !AuthenticatedHelper

In this model the squid-helper.php checks the cookie sended by the http://10.10.10.10/login.php page.
If cookie exists then squid-helper.php answer OK
if the request is http://10.10.10.10/login.php the squid-helper.php answer OK in order to allow the authentication web page. if cookie does not exists then squid-helper.php answer ERR and the login.php page is in charge to authenticate the user and create the new cookie

The problem with this is when the user try to connect to an other website, the cookie does not exists. The squid-helper.php answer ERR and requests are returned back to the login page.

To make this done to 100% i need to force squid to identifiy the user after a squid-helper.php positive answer.
I thinking about using the session helper ( "AuthenticatedSessions" acl )
If the request pass AuthenticatedHelper acl and if the request is not in the Authenticated_users acl then a session is created and squid process the request. if the request pass AuthenticatedHelper and pass Authenticated_users then squid process the request.

Is there a more/proper /simple way ?

There is no proper way. HTTP is stateless messaging. Session is stateful transaction stream.

By all means use your helper to collect some data, but store it in a database accessible to Squid, not a Cookie.
The session helper in active mode maintains one such local database.


How to merge the 2 helpers in order to make it work ?

Have your login script create an entry in /var/lib/squid/session-web-form.db. You may need to update to a session helper which supports the 4.x+ Berkley database format for multiple access.

NP: I'm also going to post a different session helper soon to squid-dev which can use other database types, and supply credentials for Squid logging.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux