On 7/12/23 15:34, Andrey K wrote:
Hello,
I was interested if I can configure some custom external helper that
will be called before any authentication helpers and can perform user
identification/authentication based on the client src-IP address.
Well, yes and no.
The order of authentication and authorization helpers is determined by
what order you configure http_access tests.
So "yes" in that you can call it before authentication, and have it tell
you what "user" it *thinks* is using that IP.
However, ...
It can look up in the external system information about the user logged
in to the IP address and return the username and some annotation
information on success.
Users do not "log into IP address" and ...
If the user has been identified, no subsequent authentications are required.
Identified users can be authorized later using standard squid mechanisms
(for example, ldap user groups membership).
This feature can be especially useful in "transparent" proxy
configurations where 407-"Proxy Authentication Required" response code
is not applicable.
... with interception the user agent is not aware of the proxy
existence. So it *will not* provide the credentials necessary for
authentication. Not to the proxy, nor a helper.
So "no".
This is not a way to authenticate. It is a way to **authorize**. The
difference is very important.
For more info lookup "captive portal" on how this type of configuration
is done and used.
Cheers
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
