Hello Amos,
thanks for your help, with your help i could solve the problem with the
authentication and squidguard.
For everyone else:
I had to write a simple wrapper from external_acl to rewrite, because
squidguard uses the rewrite interface (URL return instead of OK/ERR return):
(/usr/local/sbin/sqguard-wrapper)
#!/bin/bash
while read LINE ; do
echo "$LINE"
done | gawk '{
printf("%s %s/none %s - %s\n",$1,$2,$3,$4);
fflush(STDOUT)
}' | /usr/sbin/squidGuard | gawk '{
if($0 != "") printf("ERR\n",$0)
else printf("OK\n",$0);
fflush(STDOUT);
}';
Excerpt of squid.conf:
...
auth_param basic program /usr/sbin/basic_ncsa_auth /etc/squid/passwd auth_param
basic children 20 startup=1 idle=1 auth_param basic realm Proxy-Authentication
auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl
mylogin proxy_auth REQUIRED external_acl_type sqgrd children-max=30
children-startup=10 children-idle=5 concurrency=0 %URI %SRC %LOGIN %METHOD
/usr/local/sbin/sqguard-wrapper acl sqguardok external sqgrd acl myloginserver
url_regex ^http://myloginserver/gruen http_access allow myloginserver mylogin
http_access deny myloginserver http_access deny !sqguardok http_access allow all
But I got still the other problem:
In the access.log the username from the user having authenticated isn't logged.
Is there any trick to get the username of the person logged-in logged, even if
squid believes, it could show the page without authentication?
Greetings in advance,
Martin
-----Ursprüngliche Nachricht-----
Von: Amos Jeffries [mailto:[email protected]]
Gesendet: Montag, 3. September 2012 10:14
An: [email protected]
Betreff: Re: [squid-users] Problem with authentication needed for squidguard
and squid 3.2.1
On 3/09/2012 7:01 p.m., Stolle, Martin wrote:
> Hello,
>
> I got a problem with the cooperation of squidguard 1.4 and squid 3.2.1
>
> My test scenario consists of
>
> Squidguard 1.4
> Squid 3.2.1
> Basic Authentication (in that case of test)
>
>
> I want to allow URLs not blocked by lists from squidguard to all users.
>
> If a website is blocked from a squidguard list and a user isn't
> authenticated, squidguard shall and will redirect the request to a blocking
> site, which links to a site, where somebody can authenticate itself.
>
> If someone is authenticated that way, he is associated with an user account
> and should have access to all web sites.
>
> Unfortunately, I got the problem, that, also a user is authenticated, squid
> transfers the user information only under the condition, that from the point
> of view of squid the authentication is necessary, to squidguard, also the
> user authenticated before. If Squid recognizes, that from the point of view
> of squid authentication is not necessary (i.e. there was e.g. a http_access
> allow all on the way), it does not transfer authentication information to the
> url rewriter, here squidguard, and does also not log that information.
> But squidguard needs that information in that case to allow the user access
> to that web site and don't redirect the request to the blocking site.
>
> Is there an option to transfer authentication information in any case - where
> it is available, i.e. the user has already authenticated - to the rewriter
> and also to log it?
URL rewriter interface is NOT the correct place to be performing authentication
or authorization.
Use external_acl_type helper interface instead, design your input format %
codes to match the fields squidguard needs. That interface will do proxy
credentials location for %LOGIN, including authentication if required. Use
deny_info to do the page redirection.
Amos
