[squid-users] External ACL Auth & Session DB for 100+ clients behind NAT

From: Nishant Sharma <codemarauder_at_gmail.com>
Date: Mon, 21 May 2012 18:28:45 +0530

Hi,

Greetings to all from a new user to the list.

A little background on my implementation scenario:

* There are around 60 site offices
* Each site has around 5-6 users
* Head Office has 100+ users
* Currently we are back-hauling all the traffic to HO and using squid
for access control

The obvious drawback is that site offices are not able to utilise
their full bandwidth (DSL 512kbps - 1Mbps) as HO is the bottleneck
with 4Mbps of 1:1 line. The alternative solution that we are working
on is to:

1. Configure squid on a hosted server
2. Ask all the users to configure the hosted proxy
3. Squid will be configured for Authentication
4. Authentication has to be done against IMAPS server

Now, the problem is, we can not use BASIC auth over public Internet
and if we use DIGEST auth, we can not authenticate against IMAP. I had
a look at external_acl_type authentication mechanism discussed in the
list and have configured something like:

external_acl_type hosted_auth ttl=0 %SRC /etc/squid/auth.pl
acl loggedin external hosted_auth
deny_info https://hostedserver/auth.html loggedin
http_access deny !loggedin
http_access allow all

This auth.pl will check against a session DB (probably MySql) if user
is already authenticated or not. While the HTML file displays a login
form over HTTPS and sends request to a CGI script which authenticates
against IMAPS and populates the DB with session information. I
understand that I can not use cookies for authentication as browser
will not include cookie set by our authentication page for request to
other domains.

I went through Amos' ext_sql_session_acl.pl which I am planning to use
in place of auth.pl. But here's another catch - since there are more
than 1 users behind the NAT, what parameters like %SRC could be used
to identify a user uniquely in the session database, which should be
persistently present in every request to Squid?

I see a mention of the UUID tokens in the script as well, but was not
able to understand how to use them.

Any pointers would be of great help.

Thanks & regards,
Nishant
Received on Mon May 21 2012 - 12:58:54 MDT

This archive was generated by hypermail 2.2.0 : Tue May 22 2012 - 12:00:04 MDT