On 12/05/2013 8:03 a.m., Nils Hügelmann wrote:
Hi,
I want to use both Digest Auth and External Auth ("simpleheaderauth")
for authentification, and need to assign different delay pools to single
users based on another external_acl (premiumcheck).
So i have (stripped down for readibility)
-----------------
external_acl_type simpleheaderauth %>{Proxy-Authorization} simpleauth
external_acl_type premiumcheck %>{Proxy-Authorization} premium
auth_param digest program digestauth
acl proxyauth proxy_auth REQUIRED
acl simpleheaderauth_passed external simpleheaderauth
acl premiumcheck_passed external premiumcheck
# activate additional external acls
http_access allow premiumcheck_passed !all
http_access allow freethrottled_passed !all
http_access allow simpleheaderauth_passed
http_access allow proxyauth
http_access deny !proxyauth
http_access deny all
-----------------
Which works fine in regards to access control, one can either login via
"simpleheaderauth" (external_acl) or via "digestauth" (auth_param).
I want to have 2 bandwidth limit levels.
Situation from here is as follows:
When using simpleheaderauth:
- EXT_USER is available (username passed from simpleheaderauth
external_acl)
- Tag is available (tag passed from simpleheaderauth external_acl)
- premiumcheck_passed is properly set
When using digestauth:
- LOGIN is available (username passed from auth_param)
- Tag is not available
- premiumcheck_passed is not usable
Delay pools need to work per individual user, so only class 5 pools (
tagrate ) or class 4 pools ( aggregate, network, individual, user )
would be possible.
As simpleheaderauth has no user defined, and digestauth has no tag, my
first attempt for delay_pools was to create 2 sets of pools with 2
classes each:
-----------------
delay_class 1 5
delay_class 2 5
delay_class 3 4
delay_class 4 4
# 1st set for simpleheaderauth
delay_parameters 2 2097152/2097152
delay_access 2 allow simpleheaderauth_passed premiumcheck_passed
delay_parameters 1 76800/76800
delay_access 1 deny premiumcheck_passed
delay_access 1 allow simpleheaderauth_passed
# 2nd set for digestauth
delay_parameters 4 -1/-1 -1/-1 -1/-1 2097152/2097152
delay_access 4 allow premiumcheck_passed
delay_parameters 3 -1/-1 -1/-1 -1/-1 76800/76800
delay_access 3 deny premiumcheck_passed
delay_access 3 allow all
-----------------
1. Can one somehow simplify this by making Tag available for digest, or
making class 4 username available for external_acl?
I have work lined up on the TODO list for implementing tag on auth
interfaces in the next Squid versions.
If you are able to assist with sponsoring that I can divert some time
back towards it.
However, ...
Alternative #1:
* make your simple and premium helper lookups produce tags indicating
those levels.
* create a dummy external ACL helper lookup test which always responds
"OK tag=digest-auth". Call it only after proxyauth ACL has succeeded
doing digest.
eg:
external_acl_type digestauth %LOGIN basic_fake_auth
acl digest_tagger external digestauth
http_access allow proxyauth digest_tagger
You can then use "tag" type ACLs for delay_access.
2. The problem with my attempt is that premiumcheck_passed is not
evaluated when usind digestauth. Every digestauth user is assigned to
pool 3, while simpleheaderauth users are properly assigned based on
premiumcheck_passed. How can i solve this?
You have isolated the problem pretty accurately. It's root cause is the
mismatch between delay_access being "fast" ACL check and the tests you
are using being "slow" group ACL.
Amos