Re: [squid-users] Re: external acl code examples

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 06 May 2012 10:55:41 +1200

On 6/05/2012 8:09 a.m., E.S. Rosenberg wrote:
> 2012/5/3 Eliezer Croitoru<eliezer_at_ngtech.co.il>:
>> On 02/05/2012 14:53, E.S. Rosenberg wrote:
>>> 2012/5/2 E.S. Rosenberg<esr_at_g.jct.ac.il>:
>>>> Hi,
>>>> I just thought I'd share the script I have for the squid side, maybe
>>>> someone finds it useful.
>>>> I wrote in PHP because I wanted to use prepared statements and am most
>>>> familiar with PDO.
>>>>
>>>> Now my logs have usernames but squid does not allow me to make
>>>> proxy_auth acls since I have no auth mechanism configured (this
>>>> particular squid instance is a museum piece - 2.6, soon to be
>>>> replaced), if this issue also exists in squid 3.1 then how would I
>>>> control users based on a username returned through an external ACL?
>>>>
>>>> Thanks,
>>>> Eli
>>> I stuck the script on my server, that makes an easier read then from
>>> inside a mail:
>>> http://kotk.nl/verifyIP.phps
>>>
>>> Hope that helps,
>>> Eli
>>>
>> i saw your external_acl app and it seems very nice.
>> i wrote another one on ruby that seems almost like that(a mimic for
>> practice).
>> and i was wondering about how do you plan to implement the proxy_auth acls?
>> using AD? some other DB?
> I am not usre I follow, do you mean how I intend to manage my lists of
> usernames?
> In that case I am pushing for the use of LDAP properties, then a
> script will run every X time, determine whether or not the LDAP
> database was changed since the last update (based on change
> timestamps) and generate lists of usernames.
> Currently we don't have a good way of managing this, I have some
> sctipts that work based on the location of a user in our organization
> but that is not always correct.
>> you mentioned something about the network infrastructure\CISCO if i remember
>> right.
> Yes, the link of IP->username is generated based on the radius logs of
> the server that provides authentication for the wireless.
>
> However as said squid tells me that since I have no auth-mechanism
> fully setup I can't use proxy_auth lists so I wonder how can I use the
> username I provided in the external acl in the rest of squid?

It is just a label to Squid. Authentication happened outside with no
internal state other than teh external_acl_type format key to link it to
anything. It can be used in logging with %eo log tag, or passed to other
proxies as HTTP auth login with cache_peer login= option.

It does *not* magically insert proxy-auth headers into the request
received from the client, or pretend to be such.
proxy_auth ACL type tests the proxy-auth headers presented by the
client. We do not (yet) have an authentication ACL type that checks
those type of credentials.

Amos
Received on Sat May 05 2012 - 22:55:45 MDT

This archive was generated by hypermail 2.2.0 : Sun May 06 2012 - 12:00:03 MDT