Re: [squid-users] %login in ACL without autentication configured
On 25/11/2011 2:14 a.m., Luis Enrique Sanchez Arce wrote:
Hi Amos and thanks for your response,
I have a database of users that can be both users IP (192.168.1.0/24) as
standard (juan manuel, owners, etc).
Besides, I have for those users a set of rules that regulate their navigation.
The following configuration for redir_program works ok for me.
---
auth_param basic program myauthdb
auth_param basic children 10
auth_param basic realm Test
auth_param basic credentialsttl 2 hours
acl pass proxy_auth REQUIRED
external_acl_type notauth children=10 ttl=0 %SRC notauth
acl bypass_auth external notauth
redirect_program redirector.pl
redirect_rewrites_host_header on
redirect_children 70
acl Restrictivo src 10.0.0.0/8
http_access allow bypass_auth
http_access allow Restrictivo pass
-
The program notauth takes the parameter %SRC internally and verify if user IP
exists in the system. To be positive
returns OK and ignore authentication. In that case the redirect_program receives the
authenticated user "-" and internally
takes the user such as IP.
What I want to do is this the same but with external acl. The fallowing
configuration don´t work for me.
-
auth_param basic program myauthdb
auth_param basic children 10
auth_param basic realm Test
auth_param basic credentialsttl 2 hours
acl pass proxy_auth REQUIRED
external_acl_type notauth children=10 ttl=0 %SRC notauth
acl bypass_auth external notauth
external_acl_type redirprogram children=30 concurrency=10 ttl=300 %URI %SRC
%LOGIN %METHOD redirector.pl
Hmm, for starters you definitely need to change what the redirector.pl
script does in order to work in this other interface of Squid. The input
and output are very different.
acl redir external redirprogram
http_access allow bypass_auth redir
The problem is %LOGIN used by "redirprogram" requires auth credentials
to be known. Squid will perform auth in order to get them.
In order to to get login credentials without requiring that they exist
send %>{Proxy-Authorization} to the helper instead (requires Squid-3.1
or later). It will need to process and decode the header content itself.
(There are some proposals for a tag to do get an optional username but
only incomplete feature patches submitted so far).
http_access allow pass redir
http_access allow redir
I think you are wanting three different ACLs instead of "redir". ..
* On the "bypass_auth" line the %EXT_USER is needed to pass the user=
value to the helper.
* On the "pass" line the %LOGIN is needed to send the authenticated
username to the helper.
I'm a little confused why you would want to "allow redir" by itself. It
has no use other than to override the previous decisions not to allow.
# And finally deny all other access to this proxy
http_access deny all
deny_info ERR_FILTER_DENIED redir all
deny_info takes the name of a *single* ACL to bind to. Only when that
ACL is the last ACL name on an access deny line will the deny_info
object be sent.
In this setup that means:
deny_info ERR_FILTER_DENIED all
-
I added the acl notauth return OK user=IP, the idea is that the acl redir
assume %LOGIN as the IP. It does't works for me.
%LOGIN is the authenticated credentials. user= is just a value passed
back for you to play with. It has no authentication meaning to Squid. It
is about authorization instead.
Also, when using the redirector in external_acl_type, setting the
username field to an IP in order to send it in the second helper format
is a complex way to do something meaningless.
The simpler way to do it would be to just configure the second helper
format as:
external_acl_type redirprogram children=30 concurrency=10 ttl=300
%URI %SRC %SRC %METHOD redirector.pl
Although, if you pay attention to that line you will see that the IP is
already sent to the script. So why go to such complex bother?
The operation is required to be with an external acl to write in the log with
the label %ea.
The acl redirect_program does not support sending something to the log.
I hope you understand what I want to do, and if exist a way to do it?.
A completely alternative setup you should consider:
* combine the notauth script and redirector.pl script actions into one
which performs everything needed on that allow line. Including sending
the info back for logging.
* create a new script based on just the redirector.pl script to do the
actions after authentication. This is the one on the line after "pass"
ACL and can depend on %LOGIN.
Amos
Re: [squid-users] %login in ACL without autentication configured
Hi Amos and thanks for your response, I have a database of users that can be both users IP (192.168.1.0/24) as standard (juan manuel, owners, etc). Besides, I have for those users a set of rules that regulate their navigation. The following configuration for redir_program works ok for me. --- auth_param basic program myauthdb auth_param basic children 10 auth_param basic realm Test auth_param basic credentialsttl 2 hours acl pass proxy_auth REQUIRED external_acl_type notauth children=10 ttl=0 %SRC notauth acl bypass_auth external notauth redirect_program redirector.pl redirect_rewrites_host_header on redirect_children 70 acl Restrictivo src 10.0.0.0/8 http_access allow bypass_auth http_access allow Restrictivo pass - The program notauth takes the parameter %SRC internally and verify if user IP exists in the system. To be positive returns OK and ignore authentication. In that case the redirect_program receives the authenticated user "-" and internally takes the user such as IP. What I want to do is this the same but with external acl. The fallowing configuration don´t work for me. - auth_param basic program myauthdb auth_param basic children 10 auth_param basic realm Test auth_param basic credentialsttl 2 hours acl pass proxy_auth REQUIRED external_acl_type notauth children=10 ttl=0 %SRC notauth acl bypass_auth external notauth external_acl_type redirprogram children=30 concurrency=10 ttl=300 %URI %SRC %LOGIN %METHOD redirector.pl acl redir external redirprogram http_access allow bypass_auth redir http_access allow pass redir http_access allow redir # And finally deny all other access to this proxy http_access deny all deny_info ERR_FILTER_DENIED redir all - I added the acl notauth return OK user=IP, the idea is that the acl redir assume %LOGIN as the IP. It does't works for me. The operation is required to be with an external acl to write in the log with the label %ea. The acl redirect_program does not support sending something to the log. I hope you understand what I want to do, and if exist a way to do it?. Sorry for the inconvenience and for my English. - Original Message - From: "Amos Jeffries" To: squid-users@squid-cache.org Sent: Tuesday, November 22, 2011 2:56:39 PM Subject: Re: [squid-users] %login in ACL without autentication configured On 23/11/2011 3:04 a.m., Luis Enrique Sanchez Arce wrote: > I try to configure external acl without autentication configured > > external_acl_type redirprogram children=30 concurrency=10 ttl=300 %URI %SRC > %LOGIN %METHOD redir > > If i use the acl redir_program and the autentication is not configured the > user logged is "-" > > How can i do that with external acl. I need use external acl to modified the > entry log with %ea variable. > > Best regard, >Luis > %LOGIN is for passing the autentication helper credentials to the external ACL helper. Doing a full login if needed. For extenral ACL to produce credentials it needs to do whatever to locate them in the background and passes the username back to Squid like so: OK user=username or ERR user=suername Amos Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com Fin a la injusticia, LIBERTAD AHORA A NUESTROS CINCO COMPATRIOTAS QUE SE ENCUENTRAN INJUSTAMENTE EN PRISIONES DE LOS EEUU! http://www.antiterroristas.cu http://justiciaparaloscinco.wordpress.com
Re: [squid-users] %login in ACL without autentication configured
On 23/11/2011 3:04 a.m., Luis Enrique Sanchez Arce wrote: I try to configure external acl without autentication configured external_acl_type redirprogram children=30 concurrency=10 ttl=300 %URI %SRC %LOGIN %METHOD redir If i use the acl redir_program and the autentication is not configured the user logged is "-" How can i do that with external acl. I need use external acl to modified the entry log with %ea variable. Best regard, Luis %LOGIN is for passing the autentication helper credentials to the external ACL helper. Doing a full login if needed. For extenral ACL to produce credentials it needs to do whatever to locate them in the background and passes the username back to Squid like so: OK user=username or ERR user=suername Amos
