Hi Jeffries!
I created my own script auth_basic. This script checks the username and
password, if correct it inserts the username and date in the table
sessions and returns OK login = username for squid.
I also created one helper with ttl = 60. This helper takes the username
and password and check the sessions table if the field ip is empty. If
not empty he updates the field.
The problem is that when it spends 60 seconds a request is sent to the
helper with %LOGIN empty, as the helper does not identify the username
and return ERR to squid then open the popup window again.
Can you help?
Thanks!
Em 14/08/2013 20:21, Amos Jeffries escreveu:
On 2013-08-13 07:55, Oliveiros Peixoto (Netinho) wrote:
Hi Michael!
I need that user auth with popup browser.
Please note a few things:
* IP address is neither a user name nor a password. Basic
authentication does not contain the concept of domain which an IP
address could be twisted into fitting.
* on the modern Internet a single user may have multiple IP addresses.
Thanks to "privacy addressing" they *do* use a multitude of IP across
any time period even if they are using the same browser. Forcing a
browser popup and re-authentication every couple of minutes (once per
15-30 minutes by default in Windows Vista or later) is *not* providing
your users with a pleasant experience.
* the auth_param helpers input format is strictly limited for security
reasons. It is not arbitrary or aged code limits. The access controls
security limiting users by IP address count, connection count, user
groups (surprise!), and user reporting are completely broken if each
username+IP+password combination is treated as a unique user login by
the helper.
In response to your complaint about the popup. The external ACL using
%LOGIN *do* trigger an authentication challenge with the browser if it
returns "ERR" to Squid and the ACL using it is placed on a
"http_access deny ..." line.
This is annoying to some since Squid blindly assumes it was the %LOGIN
credentials which were the problem, but since you are saying that is
what you want there should be no problem. Use it as you would an ACL
of type proxy_auth.
Have your auth_param helper return OK if the user+password details are
a valid pairing - this is the validation / 'authentication' part -
(the basic_db_auth helper provided with Squid should be fine).
Then the external ACL helper return OK and do the actual DB login
update only if the username+password+IP triplet is acceptible - this
is the authorization / permission part.
Amos
Em 13/08/2013 11:24, Michael Graham escreveu:
On Tue, 2013-08-13 at 11:12 -0300, Oliveiros Peixoto (Netinho) wrote:
I need get ip address of user in my own auth basic script. Exist some
method to pass that can i get the ip?
My auth basic getting the username and password and check in mysql
table, if ok, he will write in other table the username and ip address
of user. How can work with this?
You probably want to have a read of
http://wiki.squid-cache.org/Features/AddonHelpers
and
http://www.squid-cache.org/Doc/config/external_acl_type/
You basically want to add the following to the squid.conf
external_acl_type <name> %LOGIN %SRC <your script>
Your script will then receive the source ip and username on standard
in.
You can then reply ERR or OK on standard out.
Cheers,