|
From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> on behalf of Amos Jeffries <squid3@xxxxxxxxxxxxx>
Sent: Tuesday, December 12, 2017 1:03 AM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Groups and authorization SQUID On 12/12/17 09:48, Edwin Quijada wrote:
> > ------------------------------------------------------------------------ > *From:* Antony Stone > On Saturday 09 December 2017 at 15:35:51, Edwin Quijada wrote: > >> > On Friday 08 December 2017 at 22:08:33, Edwin Quijada wrote: >> > >> > > I have 4 different groups in my company each group has access different >> > >> > Please explain what "access different" means. >> >> The first group has accees to 2 pages, second 3 differents pages and 3 and >> 4 everything > > Okay, understood. > FYI: please be aware that HTTP has no concept of "page". That is a human UI concept. Squid and HTTP deal only with messages about URLs. A "page" as we know it can be many different transactions and URL messages. We can get into that more later when you have auth working, just be aware for now that there is no natural connection between auth credentials and "page". OK, I understood. My problem then is when Squid shows the authorization screen I put the credentials but doenst work ,
This is a simple helper but doesnt work, it continues ask me for user/pass
> This helper that I created > <?php > > $f = fopen("php://stdin", "r"); > while (!(feof($f))) { > $line = fgets($f); > if ($line) { > $fields = explode(' ', trim($line)); > $username = rawurldecode($fields[0]); > $password = rawurldecode($fields[1]); > // > if ($username=="edwin" && $password=="1234") > fwrite(STDOUT, "OK\n"); > else > fwrite(STDOUT, "ERR\n"); > } > } > ?> > This helper is just for testing , but when I tested it doent work > What are your squid.conf settings using that helper? #acl manager proto cache_object
http_port 3128 cache_dir ufs /var/spool/squid3 2048 16 256 maximum_object_size 100 MB cache_swap_low 90 cache_swap_high 95 #--------------- Reglas de Autorizacion ------------- auth_param basic program /usr/bin/php /root/squid_helper2.php auth_param basic children 20 auth_param basic realm Proxy Quijada Usuario Y Clave auth_param basic credentialsttl 5 hours #---------------------------------------------------- #------------- ACL de accesos para los usuarios------ #---------------------------------------------------- # # acl AuthenticatedUsers proxy_auth REQUIRED http_access allow AuthenticatedUsers #-------------------- ACL Puertos -------------------- acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT #---------------------- HTTP ACCES DEFAULT------------- #http_access allow manager localhost
#http_access deny manager #http_access deny !Safe_ports #http_access deny to_localhost #icp_access deny all #htcp_access deny all #---------------------- HTTP_ACCESS DE USUARIOS--------- #====================================================================== #Suggested default: refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 FYI: PHP has known problems that prevent it being a successful helper
language most of the time <https://wiki.squid-cache.org/Features/AddonHelpers#What_language_are_helper_meant_to_be_written_in.3F>
Squid bundles with *_fake_auth helpers you can base your code on when developing a custom helper. They handle the I/O with Squid properly for their matching Squid version and should be easily extended for doing actual auth checks. >> > How does it identify one group from another? >> >> Uhm...the structere are differents , really there are in different tables >> in my DB that is in the server > > So, you're doing an HTTP request to a web server, which then looks up > the user > in a database, and returns a result as an HTTP response... > > Surely it would be easier (and quicker / more efficient) to get Squid to > interrogate the database? > >> > > the problem is how can i do this ACL > > I wouldn't start from there, so I hope someone else here can suggest a > way of > getting this to work. > > > What made you start with this approach in the first place? > > Now, I changed the approach , I just want one group for everything and > other, localnet restricted,instead of use 4 groups just 2 one for admin, > other for > The weird thing is this use of a web server as an intermediary between Squid and the actual user/group database. What made you use it in the first place instead of connecting Squid to the database? It just why the database is in another server and this DB doesnt have external access . IN this server just has an API responding request so I wanna use this for authorization. I cant connect directly to DB
[ I am one of the people who can help you get it to work, but it is only with the trouble doing at all if there is a good reason. Auth is a complex enough topic already just by itself. ] Thks for your help, I will continue trying to authorize with Squid
Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
| ||||
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
