Thanks Amos
That should be very cool ! especially MySQL
Le 14/04/2012 09:11, Amos Jeffries a écrit :
On 14/04/2012 6:08 a.m., David Touzeau wrote:
Dear all
I would like to use 2 external helpers in order to use a web
authentication form
The deal is to use combination of ext_session_acl and my own
external helper
But i did not know how to create the ACLs
I have done 50%
---------------------------------------
external_acl_type checkauth concurrency=100 ttl=3 %SRC %URI %>{Host}
%>{Cookie} /usr/bin/squid-helper.php
Note that Cookie: headers can get very large. Squid permits up to 64KB
before stripping them, which has been spotted happening.
external_acl_type AuthenticatedSessions ttl=60 concurrency=100 %SRC
/usr/local/sbin/squid/ext_session_acl -t 48000 -b
/var/lib/squid/session-web-form.db
acl AuthenticatedHelper external checkauth
acl Authenticated_users external AuthenticatedSessions
deny_info http://10.10.10.10/login.php checkauth
http_access deny !AuthenticatedHelper
In this model the squid-helper.php checks the cookie sended by the
http://10.10.10.10/login.php page.
If cookie exists then squid-helper.php answer OK
if the request is http://10.10.10.10/login.php the squid-helper.php
answer OK in order to allow the authentication web page.
if cookie does not exists then squid-helper.php answer ERR and the
login.php page is in charge to authenticate the user and create the
new cookie
The problem with this is when the user try to connect to an other
website, the cookie does not exists.
The squid-helper.php answer ERR and requests are returned back to the
login page.
To make this done to 100% i need to force squid to identifiy the user
after a squid-helper.php positive answer.
I thinking about using the session helper ( "AuthenticatedSessions"
acl )
If the request pass AuthenticatedHelper acl and if the request is
not in the Authenticated_users acl then a session is created and
squid process the request.
if the request pass AuthenticatedHelper and pass Authenticated_users
then squid process the request.
Is there a more/proper /simple way ?
There is no proper way. HTTP is stateless messaging. Session is
stateful transaction stream.
By all means use your helper to collect some data, but store it in a
database accessible to Squid, not a Cookie.
The session helper in active mode maintains one such local database.
How to merge the 2 helpers in order to make it work ?
Have your login script create an entry in
/var/lib/squid/session-web-form.db. You may need to update to a
session helper which supports the 4.x+ Berkley database format for
multiple access.
NP: I'm also going to post a different session helper soon to
squid-dev which can use other database types, and supply credentials
for Squid logging.
Amos
