On 01 Sep 2001 12:31:35 +0200, Michael Meiszl wrote:
> Hi,
> I'm running squid with an (self written) authenticator program.
> This worked fine over the last year, but now management likes to restrict the users even more.
> They want to limit the validity of the account to the workstation's IP adress (or a range
> of addresses).
> So the authenticator programm needs to know from which IP address the request origninated.
> Squid obviously knows from where it was called, but the external authenticator is only
> feeded with username/password pair of data.
>
> Is there a legal way for an external program to get the knowledge or do I have to hack auth.c to change the request (which I do not like to do, until forced to ) ?
There are two approachs to this. The first thing to note is that you are
really talking about access control, not whether the username and
password combination are valid... Thats all that the authentication
helpers are _expected_ to validate. To make a successful hack you would
need to make more extensive changes than just adding the ip address to
the information passed to the authenticator. However, all is not lost:
1) The src acl type can be combined with the proxy auth type to provide
mixed parameter tests. ie
acl works1 src 192.168.0.1-192.168.0.4 192.168.0.6
acl john proxy_auth john
http_access allow works1 john
allows the usercode john only from 192.168.0.1 ,.2, .3, .4 and .5
If the ip ranges are changing frequently, you may want to use a script
to generate a couple of acl files to hold the information.
2) You can use Henriks' external acl branch to perform these tests.
Squid will call out with a custom pattern - ie username ip and look for
OK or ERR. This is production read unfortnately.
Rob
Received on Sat Sep 01 2001 - 04:52:18 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:01 MST