2012/5/6 Amos Jeffries <squid3@xxxxxxxxxxxxx>: > On 6/05/2012 10:55 a.m., Amos Jeffries wrote: >> >> On 6/05/2012 8:09 a.m., E.S. Rosenberg wrote: >>> >>> 2012/5/3 Eliezer Croitoru<eliezer@xxxxxxxxxxxx>: >>>> >>>> On 02/05/2012 14:53, E.S. Rosenberg wrote: >>>>> >>>>> 2012/5/2 E.S. Rosenberg<esr@xxxxxxxxxxx>: >>>>>> >>>>>> Hi, >>>>>> I just thought I'd share the script I have for the squid side, maybe >>>>>> someone finds it useful. >>>>>> I wrote in PHP because I wanted to use prepared statements and am most >>>>>> familiar with PDO. >>>>>> >>>>>> Now my logs have usernames but squid does not allow me to make >>>>>> proxy_auth acls since I have no auth mechanism configured (this >>>>>> particular squid instance is a museum piece - 2.6, soon to be >>>>>> replaced), if this issue also exists in squid 3.1 then how would I >>>>>> control users based on a username returned through an external ACL? >>>>>> >>>>>> Thanks, >>>>>> Eli >>>>> >>>>> I stuck the script on my server, that makes an easier read then from >>>>> inside a mail: >>>>> http://kotk.nl/verifyIP.phps >>>>> >>>>> Hope that helps, >>>>> Eli >>>>> >>>> i saw your external_acl app and it seems very nice. >>>> i wrote another one on ruby that seems almost like that(a mimic for >>>> practice). >>>> and i was wondering about how do you plan to implement the proxy_auth >>>> acls? >>>> using AD? some other DB? >>> >>> I am not usre I follow, do you mean how I intend to manage my lists of >>> usernames? >>> In that case I am pushing for the use of LDAP properties, then a >>> script will run every X time, determine whether or not the LDAP >>> database was changed since the last update (based on change >>> timestamps) and generate lists of usernames. >>> Currently we don't have a good way of managing this, I have some >>> sctipts that work based on the location of a user in our organization >>> but that is not always correct. >>>> >>>> you mentioned something about the network infrastructure\CISCO if i >>>> remember >>>> right. >>> >>> Yes, the link of IP->username is generated based on the radius logs of >>> the server that provides authentication for the wireless. >>> >>> However as said squid tells me that since I have no auth-mechanism >>> fully setup I can't use proxy_auth lists so I wonder how can I use the >>> username I provided in the external acl in the rest of squid? >> >> >> It is just a label to Squid. Authentication happened outside with no >> internal state other than teh external_acl_type format key to link it to >> anything. It can be used in logging with %eo log tag, or passed to other >> proxies as HTTP auth login with cache_peer login= option. > > > Oops sorry %ue tag, not %eo. > > Amos Ah, so if I understand this correctly I can't do anything with the usernames on the proxy that runs the external acl but by handing of the usernames to a parent I can start implementing policies based on the usernames? Thanks, Eli
