On 01/05/11 05:00, J. Webster wrote:
Ah, that tutorial is about writing an authentication helper (ie
ncsa_auth). Not an ACL helper.
The difference being that external_acl_type ACL helpers auth*orize* the
request permission to do something in Squid because it matches an IP
used by some username.
auth_param helpers auth*enticate* some security username:passtoken
credentials. They do not assign any permissions, just state whether the
credentials are valid/invalid.
The script I was suggesting takes only the IP and produces the username
for logging. You need some database, or AD login etc mapping which users
have been assigned which IP. The script uses that source to find the
username in the background and present it to Squid via "OK
user=$username" or "ERR" results.
The squid.conf looks something like:
external_acl_type IPUser %SRC /path/to/script
auth_param basic program /path/to/ncsa_auth
# VPN subnet intercepted with NAT
acl ipuser external IPUser
acl vpn_subnet src 192.168.1.0/24
http_access allow vpn_subnet ipuser
# regular subnet who can login
acl logIn proxy_auth REQUIRED
acl other_subnet src 192.168.2.0/24
http_access allow other_subnet logIn
# strange machines we don't know.
http_access deny all
Right...sorry, can I leave the VPN out for the moment because I'm confusing
myself with the setup.
So, the current setup uses ncsa_auth. I need to add a secondary authentication
mechanism, which checks the external IP address but does not require a username
or password.
From what we've said I cannot add 2 mechanisms so I need to pass the auth to a
script that can check the IP address. If the IP address does not equal
200.212.34.45 then I need to pass the script a username and password pair,
which it can check against the existing ncsa_auth squid_passwd file.
Users accesses proxy, if IP=200.212.34.45 OK, else if
username:password=squid_passwd file OK, else ERR.
Do I even need a script for that or can I simply add acl other_subnet src
200.212.34.45 to the existing conf?
That was what this bit of squid.conf does:
http_access allow other_subnet logIn
ie.
If IP is in 'other_subnet' {
if auth is OK then ALLOW
else skip to next line
}
(logIn only challenges and fetches auth if it is tested, it is only
tested when the IP is in 'other_subnet').
Current conf:
auth_param basic realm MySquid proxy server
auth_param basic credentialsttl 2 hours
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
authenticate_cache_garbage_interval 1 hour
authenticate_ip_ttl 2 hours
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 1863 # MSN messenger
acl ncsa_users proxy_auth REQUIRED
acl maxuser max_user_ip -s 2
acl CONNECT method CONNECT
http_access deny manager
http_access allow ncsa_users
Remove ncsa_users from here...
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
Add it back in here with the subnet ACL as I demoed earlier (adjusted
for your actual subnet of course).
NP: you should not notice any difference in proxy behaviour the current
config with just this change. It is just shuffling prep for the other
change.
http_access deny maxuser
http_access allow localhost
http_access deny all
icp_access allow all
http_port 8080
http_port xx.xxx.xxx.198:80
hierarchy_stoplist cgi-bin ?
cache_mem 100 MB
maximum_object_size_in_memory 50 KB
cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid 40000 16 256
#cache_dir null /null
maximum_object_size 50 MB
cache_swap_low 90
cache_swap_high 95
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
cache_store_log none
buffered_logs on
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 0 KB
quick_abort_max 0 KB
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
half_closed_clients off
visible_hostname MySquidProxyServer
log_icp_queries off
dns_nameservers 208.67.222.222 208.67.220.220
hosts_file /etc/hosts
memory_pools off
forwarded_for off
client_db off
coredump_dir /var/spool/squid
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 125000/125000
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.7 and 3.1.12.1
