Re: [squid-users] Auth basic

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 14 Aug 2013 16:21:56 -0700

On 2013-08-13 07:55, Oliveiros Peixoto (Netinho) wrote:
> Hi Michael!
>
> I need that user auth with popup browser.
>

Please note a few things:
* IP address is neither a user name nor a password. Basic authentication
does not contain the concept of domain which an IP address could be
twisted into fitting.

* on the modern Internet a single user may have multiple IP addresses.
Thanks to "privacy addressing" they *do* use a multitude of IP across
any time period even if they are using the same browser. Forcing a
browser popup and re-authentication every couple of minutes (once per
15-30 minutes by default in Windows Vista or later) is *not* providing
your users with a pleasant experience.

* the auth_param helpers input format is strictly limited for security
reasons. It is not arbitrary or aged code limits. The access controls
security limiting users by IP address count, connection count, user
groups (surprise!), and user reporting are completely broken if each
username+IP+password combination is treated as a unique user login by
the helper.

In response to your complaint about the popup. The external ACL using
%LOGIN *do* trigger an authentication challenge with the browser if it
returns "ERR" to Squid and the ACL using it is placed on a "http_access
deny ..." line.
This is annoying to some since Squid blindly assumes it was the %LOGIN
credentials which were the problem, but since you are saying that is
what you want there should be no problem. Use it as you would an ACL of
type proxy_auth.

Have your auth_param helper return OK if the user+password details are a
valid pairing - this is the validation / 'authentication' part - (the
basic_db_auth helper provided with Squid should be fine).
Then the external ACL helper return OK and do the actual DB login update
only if the username+password+IP triplet is acceptible - this is the
authorization / permission part.

Amos

> Em 13/08/2013 11:24, Michael Graham escreveu:
>> On Tue, 2013-08-13 at 11:12 -0300, Oliveiros Peixoto (Netinho) wrote:
>>> I need get ip address of user in my own auth basic script. Exist some
>>> method to pass that can i get the ip?
>>> My auth basic getting the username and password and check in mysql
>>> table, if ok, he will write in other table the username and ip
>>> address
>>> of user. How can work with this?
>> You probably want to have a read of
>>
>> http://wiki.squid-cache.org/Features/AddonHelpers
>>
>> and
>>
>> http://www.squid-cache.org/Doc/config/external_acl_type/
>>
>> You basically want to add the following to the squid.conf
>>
>> external_acl_type <name> %LOGIN %SRC <your script>
>>
>> Your script will then receive the source ip and username on standard
>> in.
>> You can then reply ERR or OK on standard out.
>>
>> Cheers,
Received on Wed Aug 14 2013 - 23:21:59 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 17 2013 - 12:00:10 MDT