Hello Steve:
Thanks for your clear detail and advisement .
John
On 11.03.15 10:22, johnzeng wrote:
whether php or jquery need send user ip address to squid ? otherwise i
worried whether squid can confirm user info
and how to identify and controll http traffic ?
I'd do this with an external ACL - when processing a request, Squid
would call the external ACL which would do:
1. If the user is not authenticated or their "last seen" timestamp has
expired, return "ERR"
2. If the user is authenticated, update their "last seen" timestamp
and return OK.
Obviously if the ACL returns ERR, Squid needs to redirect the user to
the authentication page. If the ACL returns OK, Squid needs to
service the request as normal.
The authentication page would update the database which the external
ACL refers to.
Identifying the user's traffic would need to be done by MAC address or
IP:
- MAC address requires a flat network with no routers between the
device and Squid.
- IP has (probably) unfixable problems in a dual-stacked network.
Beware that:
1. Access to the authentication page must be allowed for
unauthenticated users (obviously :)
2. Authentication should really be done over HTTPS with a trusted
certificate.
3. Clients require access to some external servers to validate HTTPS
certs before they have authenticated.
4. If you want to support WISPr then (2) and (3) are mandatory.
5. External ACL caching
You might be able to do it with internal ACLs, but... pain :)
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
