Search squid archive

Re: Auth basic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Jeffries!

I created my own script auth_basic. This script checks the username and password, if correct it inserts the username and date in the table sessions and returns OK login = username for squid. I also created one helper with ttl = 60. This helper takes the username and password and check the sessions table if the field ip is empty. If not empty he updates the field. The problem is that when it spends 60 seconds a request is sent to the helper with %LOGIN empty, as the helper does not identify the username and return ERR to squid then open the popup window again.

Can you help?
Thanks!

Em 14/08/2013 20:21, Amos Jeffries escreveu:
On 2013-08-13 07:55, Oliveiros Peixoto (Netinho) wrote:
Hi Michael!

I need that user auth with popup browser.


Please note a few things:
* IP address is neither a user name nor a password. Basic authentication does not contain the concept of domain which an IP address could be twisted into fitting.

* on the modern Internet a single user may have multiple IP addresses. Thanks to "privacy addressing" they *do* use a multitude of IP across any time period even if they are using the same browser. Forcing a browser popup and re-authentication every couple of minutes (once per 15-30 minutes by default in Windows Vista or later) is *not* providing your users with a pleasant experience.

* the auth_param helpers input format is strictly limited for security reasons. It is not arbitrary or aged code limits. The access controls security limiting users by IP address count, connection count, user groups (surprise!), and user reporting are completely broken if each username+IP+password combination is treated as a unique user login by the helper.


In response to your complaint about the popup. The external ACL using %LOGIN *do* trigger an authentication challenge with the browser if it returns "ERR" to Squid and the ACL using it is placed on a "http_access deny ..." line. This is annoying to some since Squid blindly assumes it was the %LOGIN credentials which were the problem, but since you are saying that is what you want there should be no problem. Use it as you would an ACL of type proxy_auth.

Have your auth_param helper return OK if the user+password details are a valid pairing - this is the validation / 'authentication' part - (the basic_db_auth helper provided with Squid should be fine). Then the external ACL helper return OK and do the actual DB login update only if the username+password+IP triplet is acceptible - this is the authorization / permission part.

Amos

Em 13/08/2013 11:24, Michael Graham escreveu:
On Tue, 2013-08-13 at 11:12 -0300, Oliveiros Peixoto (Netinho) wrote:
I need get ip address of user in my own auth basic script. Exist some
method to pass that can i get the ip?
My auth basic getting the username and password and check in mysql
table, if ok, he will write in other table the username and ip address
of user. How can work with this?
You probably want to have a read of

http://wiki.squid-cache.org/Features/AddonHelpers

and

http://www.squid-cache.org/Doc/config/external_acl_type/

You basically want to add the following to the squid.conf

external_acl_type <name> %LOGIN %SRC <your script>

Your script will then receive the source ip and username on standard in.
You can then reply ERR or OK on standard out.

Cheers,





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux