I've got this box with over 2,000 public ip addresses and I allow my users to connect to their proxy via username/password OR if they are coming from an IP our system stored for that user. If the user comes from a known IP we don't ask for username/password (we call it ip authentication), otherwise prompt him with a user/pass popup. While it works pretty well it tends to generate a lot of ACLs for big boxes like this one and squid goes 100% permanently just from the config (Yes I even had it split in workers to share them across physical CPUs). My problem now: I would like to use an external script of my own (call it pre-authenticator) which takes a request and looks at the incoming ip. If that incoming IP (src) matches and it's allowed to browse through the requested IP (myip) let the user in, otherwise, pass it to the user/pass authenticator - whatever that may be. I know about external_acl_type but this one assumes the user is logged in and it won't work since the user is prompted for password before being passed to may external acl program (post-auth).
