On 2013-08-13 07:55, Oliveiros Peixoto (Netinho) wrote:
Hi Michael!
I need that user auth with popup browser.
Please note a few things:
* IP address is neither a user name nor a password. Basic authentication
does not contain the concept of domain which an IP address could be
twisted into fitting.
* on the modern Internet a single user may have multiple IP addresses.
Thanks to "privacy addressing" they *do* use a multitude of IP across
any time period even if they are using the same browser. Forcing a
browser popup and re-authentication every couple of minutes (once per
15-30 minutes by default in Windows Vista or later) is *not* providing
your users with a pleasant experience.
* the auth_param helpers input format is strictly limited for security
reasons. It is not arbitrary or aged code limits. The access controls
security limiting users by IP address count, connection count, user
groups (surprise!), and user reporting are completely broken if each
username+IP+password combination is treated as a unique user login by
the helper.
In response to your complaint about the popup. The external ACL using
%LOGIN *do* trigger an authentication challenge with the browser if it
returns "ERR" to Squid and the ACL using it is placed on a "http_access
deny ..." line.
This is annoying to some since Squid blindly assumes it was the %LOGIN
credentials which were the problem, but since you are saying that is
what you want there should be no problem. Use it as you would an ACL of
type proxy_auth.
Have your auth_param helper return OK if the user+password details are a
valid pairing - this is the validation / 'authentication' part - (the
basic_db_auth helper provided with Squid should be fine).
Then the external ACL helper return OK and do the actual DB login update
only if the username+password+IP triplet is acceptible - this is the
authorization / permission part.
Amos
Em 13/08/2013 11:24, Michael Graham escreveu:
On Tue, 2013-08-13 at 11:12 -0300, Oliveiros Peixoto (Netinho) wrote:
I need get ip address of user in my own auth basic script. Exist some
method to pass that can i get the ip?
My auth basic getting the username and password and check in mysql
table, if ok, he will write in other table the username and ip
address
of user. How can work with this?
You probably want to have a read of
http://wiki.squid-cache.org/Features/AddonHelpers
and
http://www.squid-cache.org/Doc/config/external_acl_type/
You basically want to add the following to the squid.conf
external_acl_type <name> %LOGIN %SRC <your script>
Your script will then receive the source ip and username on standard
in.
You can then reply ERR or OK on standard out.
Cheers,
