Search squid archive

Re: Delay Pools with Digest and External Auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/05/2013 8:03 a.m., Nils Hügelmann wrote:
Hi,

I want to use both Digest Auth and External Auth ("simpleheaderauth")
for authentification, and need to assign different delay pools to single
users based on another external_acl (premiumcheck).

So i have (stripped down for readibility)

-----------------
external_acl_type simpleheaderauth %>{Proxy-Authorization} simpleauth
external_acl_type premiumcheck %>{Proxy-Authorization} premium
auth_param digest program digestauth

acl proxyauth proxy_auth REQUIRED
acl simpleheaderauth_passed external simpleheaderauth
acl premiumcheck_passed external premiumcheck

# activate additional external acls
http_access allow premiumcheck_passed !all
http_access allow freethrottled_passed !all

http_access allow simpleheaderauth_passed
http_access allow proxyauth
http_access deny !proxyauth

http_access deny all
-----------------

Which works fine in regards to access control, one can either login via
"simpleheaderauth" (external_acl) or via "digestauth" (auth_param).

I want to have 2 bandwidth limit levels.

Situation from here is as follows:

When using simpleheaderauth:
  - EXT_USER is available (username passed from simpleheaderauth
external_acl)
  - Tag is available (tag passed from simpleheaderauth external_acl)
  - premiumcheck_passed is properly set

When using digestauth:
  - LOGIN is available (username passed from auth_param)
  - Tag is not available
  - premiumcheck_passed is not usable

Delay pools need to work per individual user, so only class 5 pools (
tagrate ) or class 4 pools ( aggregate, network, individual, user )
would be possible.

As simpleheaderauth has no user defined, and digestauth has no tag, my
first attempt for delay_pools was to create 2 sets of pools with 2
classes each:

-----------------
delay_class 1 5
delay_class 2 5
delay_class 3 4
delay_class 4 4

# 1st set for simpleheaderauth
delay_parameters 2 2097152/2097152
delay_access 2 allow simpleheaderauth_passed premiumcheck_passed

delay_parameters 1 76800/76800
delay_access 1 deny premiumcheck_passed
delay_access 1 allow simpleheaderauth_passed

# 2nd set for digestauth
delay_parameters 4 -1/-1 -1/-1 -1/-1 2097152/2097152
delay_access 4 allow premiumcheck_passed

delay_parameters 3 -1/-1 -1/-1 -1/-1 76800/76800
delay_access 3 deny premiumcheck_passed
delay_access 3 allow all
-----------------

1. Can one somehow simplify this by making Tag available for digest, or
making class 4 username available for external_acl?

I have work lined up on the TODO list for implementing tag on auth interfaces in the next Squid versions. If you are able to assist with sponsoring that I can divert some time back towards it.

However, ...

Alternative #1:
* make your simple and premium helper lookups produce tags indicating those levels. * create a dummy external ACL helper lookup test which always responds "OK tag=digest-auth". Call it only after proxyauth ACL has succeeded doing digest.

eg:
  external_acl_type digestauth %LOGIN basic_fake_auth
  acl digest_tagger external digestauth

  http_access allow proxyauth digest_tagger

You can then use "tag" type ACLs for delay_access.


2. The problem with my attempt is that premiumcheck_passed is not
evaluated when usind digestauth. Every digestauth user is assigned to
pool 3, while simpleheaderauth users are properly assigned based on
premiumcheck_passed. How can i solve this?

You have isolated the problem pretty accurately. It's root cause is the mismatch between delay_access being "fast" ACL check and the tests you are using being "slow" group ACL.

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux