hey amos, maybe my english is too bad or maybe i am just not getting it. i can not use any kind of ip as authentication or authorization. first of all because of nat and second would be that the ip of a user changes regarding his location (mobile network). my understanding of ext_session_acl is or was that it uses an ip to create the session?! so if ip changes the session is dropped (can happen every 5min or when i am lucky the ip does not change for a couple of hours). > Am 13.01.2016 um 17:53 schrieb Amos Jeffries <squid3@xxxxxxxxxxxxx>: > >> On 14/01/2016 5:35 a.m., Christian Kunkel wrote: >> Hey guys, >> >> i need a way to autheticate or authorize users to my squid server so >> i can create some kind of a session and drop users after x hours they >> have been using my proxy. important thing would be to create only one >> session per user. i do not have access to users network. they are >> connecting from the internet and they also have nated ips. i thought >> about the classic way with http headers but i run into problems with >> some devices. so thats useless for me. to use the ip adress is also >> not possible because it would authorize a lot of ppl at once if they >> are behind a nat. thats not what i want. i only can add a proxy >> adress and a port to the devices which are connecting. right now i am >> using a unique port for every user. then redirect the port to a >> splash screen with a login form. when login is is successfull it >> triggers an iptables-script which redirects that port to squid. but >> that means every one can actually use that port after someone >> successfully logged in. > > Then your iptables script is redirecting wrong. It should only add rules > to redirect a specific src-IP / dst-port pair. > >> >> i am using squid 3.5.13 on debian 8. >> >> some hints would be awesome. thanks in advance guys :) > > Use the ext_session_acl helper or ext_session_sql_acl helper with "user" > login as the session key / helper format. > > If you were using HTTP authentication the key would be %LOGIN. Since you > are not it will be whatever you are using to identify the "user" within > Squid. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
