Re: [squid-users] external acl code examples

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 12 May 2012 14:46:17 +1200

On 12/05/2012 2:45 p.m., Amos Jeffries wrote:
> On 29/02/2012 12:35 p.m., Amos Jeffries wrote:
>> On 29.02.2012 02:50, E.S. Rosenberg wrote:
>>> 2012/2/28 Amos Jeffries:
>>>> On 28/02/2012 9:07 p.m., Erwann Pencreach wrote:
>>>>>
>>>>> Hi all,
>>>>>
>>>>> here is what I've done in squid.conf :
>>>>>
>>>>> external_acl_type loggeduser children=15 %DST %SRC
>>>>> /etc/squid3/squid.d/loggeduser_acl.sh
>>>>> acl isok external loggeduser
>>>>> http_access allow isok
>>>>>
>>>>
>>>> If you add an ID you can use concurrency to reduce process overheads.
>>>>
>>>>> and here isloggeduser_acl.sh script :
>>>>>
>>>>>
>>>>> while read dst srchost;
>>>>
>>>>
>>>> while read id dst srchost;
>>>>>
>>>>> do
>>>>> date=$(date +"%d/%m/%Y %H:%M:%S")
>>>>> authuser=$(command to get logged user on client host)
>>>>> if [ ! $(echo $authuser | wc -w) -eq 1 ]
>>>>> then
>>>>> echo "[KO] number of connected user differs from 1 $srchost
>>>>> $dst"
>>>>>>>
>>>>>>> /var/log/squid3/extacl.log
>>>>>
>>>>> echo "ERR"
>>>>
>>>> echo "${id} ERR"
>>>>
>>>>> else
>>>>> isok=$(the I check my access right)
>>>>> if [ $isok ]
>>>>> then
>>>>> echo "[OK]$date $authuser($accountstatus) $srchost $dst">>
>>>>> /var/log/squid3/headers.log
>>>>> echo "OK user=$authuser"
>>>>
>>>>
>>>> echo "${id} OK user="${authuser}"
>>>>>
>>>>> else
>>>>> echo "[KO]$date $authuser($accountstatus) $srchost $dst">>
>>>>> /var/log/squid3/headers.log
>>>>> echo "ERR user=$authuser"
>>>>
>>>> echo "${id} ERR user=${authuser}"
>>>>
>>>> # NOTE: do you actually have authuser at this point?
>>>>
>>>>> fi
>>>>> fi
>>>>> done
>>>>> exit 1
>>>>>
>>>>>
>>>>
>>>> The question that comes to my mind here is what backend you are
>>>> intending to
>>>> use this with? what authentication database/system needs you to
>>>> write a
>>>> whole new helper?
>>>>
>>>>
>>>> Amos
>>>
>>> I don't know about Erwann, but I am creating this to connect between
>>> squid and cisco wlc, basically a script will update a MySQL db with
>>> the user currently associated with an IP and then squid will get the
>>> username based on the IP...
>>> Since the user already authenticated against the WLC (which in turn
>>> uses radius/ldap) I don't want to present them with another password
>>> dialog so when the radius server logs a succesful authentication for
>>> IP X by user Y the db gets updated with those details...
>>>
>>> Thanks for the example...
>>> Eli
>>
>>
>> Hmm. Thanks for the push. I have a new session helper which can
>> become FOSS I suppose. It works with many DB types and takes
>> arbitrary user Identifier tokens. Similar to the session helper, but
>> uses SQL database types shared with external management systems.
>>
>> Will get that to squid-dev shortly, and try to remember to cc' you on
>> the details.
>>
>> Amos
>
> Preliminary version of this can be found at
> http://treenet.co.nz/project/squid/patches/ext_sql_session_acl.pl

Nix that... see
http://treenet.co.nz/projects/squid/patches/ext_sql_session_acl.pl

>
> It still has issues with handling whitespace in the UUID format
> token(s) from Squid. If anyone can provide a perl split operator that
> pops off just the channel ID and leaves the rest as a single string in
> the $uid variable that would complete it.

Amos
Received on Sat May 12 2012 - 02:46:23 MDT

This archive was generated by hypermail 2.2.0 : Sun May 13 2012 - 12:00:03 MDT