On 6/05/2012 8:09 a.m., E.S. Rosenberg wrote:
2012/5/3 Eliezer Croitoru<eliezer@xxxxxxxxxxxx>:
On 02/05/2012 14:53, E.S. Rosenberg wrote:
2012/5/2 E.S. Rosenberg<esr@xxxxxxxxxxx>:
Hi,
I just thought I'd share the script I have for the squid side, maybe
someone finds it useful.
I wrote in PHP because I wanted to use prepared statements and am most
familiar with PDO.
Now my logs have usernames but squid does not allow me to make
proxy_auth acls since I have no auth mechanism configured (this
particular squid instance is a museum piece - 2.6, soon to be
replaced), if this issue also exists in squid 3.1 then how would I
control users based on a username returned through an external ACL?
Thanks,
Eli
I stuck the script on my server, that makes an easier read then from
inside a mail:
http://kotk.nl/verifyIP.phps
Hope that helps,
Eli
i saw your external_acl app and it seems very nice.
i wrote another one on ruby that seems almost like that(a mimic for
practice).
and i was wondering about how do you plan to implement the proxy_auth acls?
using AD? some other DB?
I am not usre I follow, do you mean how I intend to manage my lists of
usernames?
In that case I am pushing for the use of LDAP properties, then a
script will run every X time, determine whether or not the LDAP
database was changed since the last update (based on change
timestamps) and generate lists of usernames.
Currently we don't have a good way of managing this, I have some
sctipts that work based on the location of a user in our organization
but that is not always correct.
you mentioned something about the network infrastructure\CISCO if i remember
right.
Yes, the link of IP->username is generated based on the radius logs of
the server that provides authentication for the wireless.
However as said squid tells me that since I have no auth-mechanism
fully setup I can't use proxy_auth lists so I wonder how can I use the
username I provided in the external acl in the rest of squid?
It is just a label to Squid. Authentication happened outside with no
internal state other than teh external_acl_type format key to link it to
anything. It can be used in logging with %eo log tag, or passed to other
proxies as HTTP auth login with cache_peer login= option.
It does *not* magically insert proxy-auth headers into the request
received from the client, or pretend to be such.
proxy_auth ACL type tests the proxy-auth headers presented by the
client. We do not (yet) have an authentication ACL type that checks
those type of credentials.
Amos