Re: [squid-users] external acl code examples

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 12 May 2012 14:45:28 +1200

On 29/02/2012 12:35 p.m., Amos Jeffries wrote:
> On 29.02.2012 02:50, E.S. Rosenberg wrote:
>> 2012/2/28 Amos Jeffries:
>>> On 28/02/2012 9:07 p.m., Erwann Pencreach wrote:
>>>>
>>>> Hi all,
>>>>
>>>> here is what I've done in squid.conf :
>>>>
>>>> external_acl_type loggeduser children=15 %DST %SRC
>>>> /etc/squid3/squid.d/loggeduser_acl.sh
>>>> acl isok external loggeduser
>>>> http_access allow isok
>>>>
>>>
>>> If you add an ID you can use concurrency to reduce process overheads.
>>>
>>>> and here isloggeduser_acl.sh script :
>>>>
>>>>
>>>> while read dst srchost;
>>>
>>>
>>> while read id dst srchost;
>>>>
>>>> do
>>>> date=$(date +"%d/%m/%Y %H:%M:%S")
>>>> authuser=$(command to get logged user on client host)
>>>> if [ ! $(echo $authuser | wc -w) -eq 1 ]
>>>> then
>>>> echo "[KO] number of connected user differs from 1 $srchost
>>>> $dst"
>>>>>>
>>>>>> /var/log/squid3/extacl.log
>>>>
>>>> echo "ERR"
>>>
>>> echo "${id} ERR"
>>>
>>>> else
>>>> isok=$(the I check my access right)
>>>> if [ $isok ]
>>>> then
>>>> echo "[OK]$date $authuser($accountstatus) $srchost $dst">>
>>>> /var/log/squid3/headers.log
>>>> echo "OK user=$authuser"
>>>
>>>
>>> echo "${id} OK user="${authuser}"
>>>>
>>>> else
>>>> echo "[KO]$date $authuser($accountstatus) $srchost $dst">>
>>>> /var/log/squid3/headers.log
>>>> echo "ERR user=$authuser"
>>>
>>> echo "${id} ERR user=${authuser}"
>>>
>>> # NOTE: do you actually have authuser at this point?
>>>
>>>> fi
>>>> fi
>>>> done
>>>> exit 1
>>>>
>>>>
>>>
>>> The question that comes to my mind here is what backend you are
>>> intending to
>>> use this with? what authentication database/system needs you to write a
>>> whole new helper?
>>>
>>>
>>> Amos
>>
>> I don't know about Erwann, but I am creating this to connect between
>> squid and cisco wlc, basically a script will update a MySQL db with
>> the user currently associated with an IP and then squid will get the
>> username based on the IP...
>> Since the user already authenticated against the WLC (which in turn
>> uses radius/ldap) I don't want to present them with another password
>> dialog so when the radius server logs a succesful authentication for
>> IP X by user Y the db gets updated with those details...
>>
>> Thanks for the example...
>> Eli
>
>
> Hmm. Thanks for the push. I have a new session helper which can become
> FOSS I suppose. It works with many DB types and takes arbitrary user
> Identifier tokens. Similar to the session helper, but uses SQL
> database types shared with external management systems.
>
> Will get that to squid-dev shortly, and try to remember to cc' you on
> the details.
>
> Amos

Preliminary version of this can be found at
http://treenet.co.nz/project/squid/patches/ext_sql_session_acl.pl

It still has issues with handling whitespace in the UUID format
token(s) from Squid. If anyone can provide a perl split operator that
pops off just the channel ID and leaves the rest as a single string in
the $uid variable that would complete it.

Amos
Received on Sat May 12 2012 - 02:45:37 MDT

This archive was generated by hypermail 2.2.0 : Sat May 12 2012 - 12:00:03 MDT