Bogus 407 (reminder)
Hi, I reported this some months ago and it is still there :) http://www.squid-cache.org/bugs/show_bug.cgi?id=2453 regards, Diego -- Diego Woitasen XTECH
Re: [PATCH] Send 407 on url_rewrite_access/storeurl_access
http://www.squid-cache.org/bugs/show_bug.cgi?id=2455
On Sun, Sep 07, 2008 at 09:28:30AM +0800, Adrian Chadd wrote:
It looks fine; could you dump it into bugzilla for the time being?
(We're working on the Squid-2 - bzr merge stuff at the moment!)
Adrian
2008/9/7 Diego Woitasen [EMAIL PROTECTED]:
This patch apply to Squid 2.7.STABLE4.
If we use a proxy_auth acl on {storeurl,url_rewrite}_access and the user
isn't authenticated previously, send 407.
regards,
Diego
diff --git a/src/client_side.c b/src/client_side.c
index 23c4274..4f75ea0 100644
--- a/src/client_side.c
+++ b/src/client_side.c
@@ -448,19 +448,71 @@ clientFinishRewriteStuff(clientHttpRequest * http)
}
-static void
-clientAccessCheckDone(int answer, void *data)
+void
+clientSendErrorReply(clientHttpRequest * http, int answer)
{
-clientHttpRequest *http = data;
err_type page_id;
http_status status;
ErrorState *err = NULL;
char *proxy_auth_msg = NULL;
+
+proxy_auth_msg =
authenticateAuthUserRequestMessage(http-conn-auth_user_request ?
http-conn-auth_user_request : http-request-auth_user_request);
+
+int require_auth = (answer == ACCESS_REQ_PROXY_AUTH ||
aclIsProxyAuth(AclMatchedName)) !http-request-flags.transparent;
+
+debug(33, 5) (Access Denied: %s\n, http-uri);
+debug(33, 5) (AclMatchedName = %s\n,
+ AclMatchedName ? AclMatchedName : null);
+debug(33, 5) (Proxy Auth Message = %s\n,
+ proxy_auth_msg ? proxy_auth_msg : null);
+
+/*
+ * NOTE: get page_id here, based on AclMatchedName because
+ * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
+ * clobbered in the clientCreateStoreEntry() call
+ * just below. Pedro Ribeiro [EMAIL PROTECTED]
+ */
+page_id = aclGetDenyInfoPage(Config.denyInfoList, AclMatchedName,
answer != ACCESS_REQ_PROXY_AUTH);
+http-log_type = LOG_TCP_DENIED;
+http-entry = clientCreateStoreEntry(http, http-request-method,
+ null_request_flags);
+if (require_auth) {
+ if (!http-flags.accel) {
+ /* Proxy authorisation needed */
+ status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
+ } else {
+ /* WWW authorisation needed */
+ status = HTTP_UNAUTHORIZED;
+ }
+ if (page_id == ERR_NONE)
+ page_id = ERR_CACHE_ACCESS_DENIED;
+} else {
+ status = HTTP_FORBIDDEN;
+ if (page_id == ERR_NONE)
+ page_id = ERR_ACCESS_DENIED;
+}
+err = errorCon(page_id, status, http-orig_request);
+if (http-conn-auth_user_request)
+ err-auth_user_request = http-conn-auth_user_request;
+else if (http-request-auth_user_request)
+ err-auth_user_request = http-request-auth_user_request;
+/* lock for the error state */
+if (err-auth_user_request)
+ authenticateAuthUserRequestLock(err-auth_user_request);
+err-callback_data = NULL;
+errorAppendEntry(http-entry, err);
+
+}
+
+static void
+clientAccessCheckDone(int answer, void *data)
+{
+clientHttpRequest *http = data;
+
debug(33, 2) (The request %s %s is %s, because it matched '%s'\n,
RequestMethods[http-request-method].str, http-uri,
answer == ACCESS_ALLOWED ? ALLOWED : DENIED,
AclMatchedName ? AclMatchedName : NO ACL's);
-proxy_auth_msg =
authenticateAuthUserRequestMessage(http-conn-auth_user_request ?
http-conn-auth_user_request : http-request-auth_user_request);
http-acl_checklist = NULL;
if (answer == ACCESS_ALLOWED) {
safe_free(http-uri);
@@ -469,47 +521,7 @@ clientAccessCheckDone(int answer, void *data)
http-redirect_state = REDIRECT_PENDING;
clientRedirectStart(http);
} else {
- int require_auth = (answer == ACCESS_REQ_PROXY_AUTH ||
aclIsProxyAuth(AclMatchedName)) !http-request-flags.transparent;
- debug(33, 5) (Access Denied: %s\n, http-uri);
- debug(33, 5) (AclMatchedName = %s\n,
- AclMatchedName ? AclMatchedName : null);
- debug(33, 5) (Proxy Auth Message = %s\n,
- proxy_auth_msg ? proxy_auth_msg : null);
- /*
-* NOTE: get page_id here, based on AclMatchedName because
-* if USE_DELAY_POOLS is enabled, then AclMatchedName gets
-* clobbered in the clientCreateStoreEntry() call
-* just below. Pedro Ribeiro [EMAIL PROTECTED]
-*/
- page_id = aclGetDenyInfoPage(Config.denyInfoList, AclMatchedName,
answer != ACCESS_REQ_PROXY_AUTH);
- http-log_type = LOG_TCP_DENIED;
- http-entry = clientCreateStoreEntry(http, http-request-method,
- null_request_flags);
- if (require_auth) {
- if (!http-flags.accel) {
- /* Proxy authorisation needed */
- status
[PATCH] Send 407 on url_rewrite_access/storeurl_access
This patch apply to Squid 2.7.STABLE4.
If we use a proxy_auth acl on {storeurl,url_rewrite}_access and the user
isn't authenticated previously, send 407.
regards,
Diego
diff --git a/src/client_side.c b/src/client_side.c
index 23c4274..4f75ea0 100644
--- a/src/client_side.c
+++ b/src/client_side.c
@@ -448,19 +448,71 @@ clientFinishRewriteStuff(clientHttpRequest * http)
}
-static void
-clientAccessCheckDone(int answer, void *data)
+void
+clientSendErrorReply(clientHttpRequest * http, int answer)
{
-clientHttpRequest *http = data;
err_type page_id;
http_status status;
ErrorState *err = NULL;
char *proxy_auth_msg = NULL;
+
+proxy_auth_msg =
authenticateAuthUserRequestMessage(http-conn-auth_user_request ?
http-conn-auth_user_request : http-request-auth_user_request);
+
+int require_auth = (answer == ACCESS_REQ_PROXY_AUTH ||
aclIsProxyAuth(AclMatchedName)) !http-request-flags.transparent;
+
+debug(33, 5) (Access Denied: %s\n, http-uri);
+debug(33, 5) (AclMatchedName = %s\n,
+ AclMatchedName ? AclMatchedName : null);
+debug(33, 5) (Proxy Auth Message = %s\n,
+ proxy_auth_msg ? proxy_auth_msg : null);
+
+/*
+ * NOTE: get page_id here, based on AclMatchedName because
+ * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
+ * clobbered in the clientCreateStoreEntry() call
+ * just below. Pedro Ribeiro [EMAIL PROTECTED]
+ */
+page_id = aclGetDenyInfoPage(Config.denyInfoList, AclMatchedName, answer
!= ACCESS_REQ_PROXY_AUTH);
+http-log_type = LOG_TCP_DENIED;
+http-entry = clientCreateStoreEntry(http, http-request-method,
+ null_request_flags);
+if (require_auth) {
+ if (!http-flags.accel) {
+ /* Proxy authorisation needed */
+ status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
+ } else {
+ /* WWW authorisation needed */
+ status = HTTP_UNAUTHORIZED;
+ }
+ if (page_id == ERR_NONE)
+ page_id = ERR_CACHE_ACCESS_DENIED;
+} else {
+ status = HTTP_FORBIDDEN;
+ if (page_id == ERR_NONE)
+ page_id = ERR_ACCESS_DENIED;
+}
+err = errorCon(page_id, status, http-orig_request);
+if (http-conn-auth_user_request)
+ err-auth_user_request = http-conn-auth_user_request;
+else if (http-request-auth_user_request)
+ err-auth_user_request = http-request-auth_user_request;
+/* lock for the error state */
+if (err-auth_user_request)
+ authenticateAuthUserRequestLock(err-auth_user_request);
+err-callback_data = NULL;
+errorAppendEntry(http-entry, err);
+
+}
+
+static void
+clientAccessCheckDone(int answer, void *data)
+{
+clientHttpRequest *http = data;
+
debug(33, 2) (The request %s %s is %s, because it matched '%s'\n,
RequestMethods[http-request-method].str, http-uri,
answer == ACCESS_ALLOWED ? ALLOWED : DENIED,
AclMatchedName ? AclMatchedName : NO ACL's);
-proxy_auth_msg =
authenticateAuthUserRequestMessage(http-conn-auth_user_request ?
http-conn-auth_user_request : http-request-auth_user_request);
http-acl_checklist = NULL;
if (answer == ACCESS_ALLOWED) {
safe_free(http-uri);
@@ -469,47 +521,7 @@ clientAccessCheckDone(int answer, void *data)
http-redirect_state = REDIRECT_PENDING;
clientRedirectStart(http);
} else {
- int require_auth = (answer == ACCESS_REQ_PROXY_AUTH ||
aclIsProxyAuth(AclMatchedName)) !http-request-flags.transparent;
- debug(33, 5) (Access Denied: %s\n, http-uri);
- debug(33, 5) (AclMatchedName = %s\n,
- AclMatchedName ? AclMatchedName : null);
- debug(33, 5) (Proxy Auth Message = %s\n,
- proxy_auth_msg ? proxy_auth_msg : null);
- /*
-* NOTE: get page_id here, based on AclMatchedName because
-* if USE_DELAY_POOLS is enabled, then AclMatchedName gets
-* clobbered in the clientCreateStoreEntry() call
-* just below. Pedro Ribeiro [EMAIL PROTECTED]
-*/
- page_id = aclGetDenyInfoPage(Config.denyInfoList, AclMatchedName,
answer != ACCESS_REQ_PROXY_AUTH);
- http-log_type = LOG_TCP_DENIED;
- http-entry = clientCreateStoreEntry(http, http-request-method,
- null_request_flags);
- if (require_auth) {
- if (!http-flags.accel) {
- /* Proxy authorisation needed */
- status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
- } else {
- /* WWW authorisation needed */
- status = HTTP_UNAUTHORIZED;
- }
- if (page_id == ERR_NONE)
- page_id = ERR_CACHE_ACCESS_DENIED;
- } else {
- status = HTTP_FORBIDDEN;
- if (page_id == ERR_NONE)
- page_id = ERR_ACCESS_DENIED;
- }
- err = errorCon(page_id, status, http-orig_request);
- if (http-conn-auth_user_request)
- err-auth_user_request = http-conn-auth_user_request;
Using cached headers in ACLs
Hi, As I've explained in my introduction, I'm working on changes over cache statement and refresh_pattern to allow easy flash video caching and may be other things. The first thing that I'm trying to change is that ACLs used in cache would match against cached headers. For example, if the cached headers for some URL contains Content-Type: video/flv I serve that object from cache. Is there any contraindication if I use cached headers in that way? Regards, Diego -- --- Diego Woitasen - XTECH www.xtech.com.ar
Re: Introducing myself
On Mon, September 1, 2008 9:20 pm, S L wrote: Hi, it's restricted via mume-type? If that is, then me did introduced it already. But it doesn't approved yet. If don't undertand. Do you have a link to your patch? I want to select whether cache or not an object based on reply mime-type. I think we can do it using cached headers. I'm working on it right nigh, will post results in a few days. regards, Diego -- Diego Woitasen XTECH - Soluciones Linux para empresas (54) 011 5219-0678
Introducing myself
Hi, I want to discuss some features about caching, more precisely changes in cache behavior and refresh_pattern. I think that clientCheckNoCache() should be called on clientHttpReplyAccessCheck(), so we could allow cached based on reply mime type (useful for youtube and googlevideos). Also, refresh_pattern should use acl to be more flexible, but this required major surgery I think. regards, Diego -- Diego Woitasen XTECH - Soluciones Linux para empresas (54) 011 5219-0678
[PATCH] Fix stripping NT domain in squid_ldap_group
Hi,
This patch fix a problem with nt domain stripping in
squid_ldap_group. I tried with 2.6.18 with this patch and it
doesn't strip the domain correctly.
regards,
Diego
--
--
Diego Woitasen
XTECH - www.xtech.com.ar
diff -Nur squid-2.6.STABLE18/helpers/external_acl/ldap_group/squid_ldap_group.c squid-2.6.STABLE18-ws/helpers/external_acl/ldap_group/squid_ldap_group.c
--- squid-2.6.STABLE18/helpers/external_acl/ldap_group/squid_ldap_group.c 2006-05-22 17:42:04.0 -0300
+++ squid-2.6.STABLE18-ws/helpers/external_acl/ldap_group/squid_ldap_group.c 2008-03-14 21:38:24.070283506 -0200
@@ -465,9 +465,9 @@
}
rfc1738_unescape(user);
if (strip_nt_domain) {
- char *u = strchr(user, '\\');
+ char *u = strrchr(user, '\\');
if (!u)
- u = strchr(user, '/');
+ u = strrchr(user, '/');
if (u u[1])
user = u + 1;
}
little error in cache.data.pre
Here is the patch :) diff -Nur squid-2.5.STABLE9/src/cf.data.pre squid-2.5.STABLE9-expire/src/cf.data.pre --- squid-2.5.STABLE9/src/cf.data.pre 2005-02-22 21:06:34.0 -0300 +++ squid-2.5.STABLE9-expire/src/cf.data.pre2005-03-15 00:43:53.131302928 -0300 @@ -1698,7 +1698,7 @@ Basically a cached object is: - FRESH if expires now, else STALE + FRESH if expires now, else STALE STALE if age max FRESH if lm-factor percent, else STALE FRESH if age min
Re: [squid-users] squid_ldap_group with SASL and GSSAPI support
I have read the code and it make sense. I will do it the next week. El jue, 21-10-2004 a las 04:21, Henrik Nordstrom escribió: On Wed, 20 Oct 2004, Diego Woitasen wrote: This patch add support for SASL GSSAPI to squid_ldap_group, feature required if you want check group membership from a W2003 Active Directory or openldap with kerberos authentication. Would it make sense to also add this to squid_ldap_auth? Regards Henrik
squid_ldap_group with SASL and GSSAPI support
This patch add support for SASL GSSAPI to squid_ldap_group, feature
required if you want check group membership from a W2003 Active
Directory or openldap with kerberos authentication.
Patch created from squid 2.5-STABLE7.
To Compile with GSSAPI support:
cd helpers/external_acl/ldap_group
make LDFLAGS='-lkrb5 -lsasl2' CFLAGS='-DCYRUS_SASL'
this requieres cyrus-sasl 2.x.x, openldap 2.x.x and krb5 1.3.x
libraries.
see krb5 documentation about howto configure kerberos client.
--
DiegoWS
LANUX
diff -Nur squid-2.5.STABLE7/helpers/external_acl/ldap_group/README squid-2.5.STABLE7-krb5/helpers/external_acl/ldap_group/README
--- squid-2.5.STABLE7/helpers/external_acl/ldap_group/README 2003-11-19 21:41:37.0 -0300
+++ squid-2.5.STABLE7-krb5/helpers/external_acl/ldap_group/README 2004-10-20 21:06:41.0 -0300
@@ -8,3 +8,10 @@
The latest version of this program can always be found from
MARA Systems at http://marasystems.com/download/LDAP_Group/
+
+If you want compile with GSSAPI support:
+
+cd helpers/external_acl/ldap_group
+make LDFLAGS='-lkrb5 -lsasl2' CFLAGS='-DCYRUS_SASL'
+
+this requieres cyrus-sasl 2.x.x, openldap 2.x.x and krb5 1.3.x libraries.
diff -Nur squid-2.5.STABLE7/helpers/external_acl/ldap_group/squid_ldap_group.c squid-2.5.STABLE7-krb5/helpers/external_acl/ldap_group/squid_ldap_group.c
--- squid-2.5.STABLE7/helpers/external_acl/ldap_group/squid_ldap_group.c 2004-03-02 06:13:29.0 -0300
+++ squid-2.5.STABLE7-krb5/helpers/external_acl/ldap_group/squid_ldap_group.c 2004-10-20 21:03:01.0 -0300
@@ -39,6 +39,9 @@
#include ctype.h
#include lber.h
#include ldap.h
+#if defined (CYRUS_SASL)
+#include sasl/sasl.h
+#endif
#if defined(LDAP_OPT_NETWORK_TIMEOUT)
#include sys/time.h
#endif
@@ -76,34 +79,38 @@
static int readSecret(char *filename);
+#if defined (CYRUS_SASL)
+static int do_sasl_interact(LDAP * ld, unsigned flags, void *defaults, void *_interact);
+#endif
+
/* Yuck.. we need to glue to different versions of the API */
#if defined(LDAP_API_VERSION) LDAP_API_VERSION 1823
-static int
+static int
squid_ldap_errno(LDAP * ld)
{
int err = 0;
ldap_get_option(ld, LDAP_OPT_ERROR_NUMBER, err);
return err;
}
-static void
+static void
squid_ldap_set_aliasderef(LDAP * ld, int deref)
{
ldap_set_option(ld, LDAP_OPT_DEREF, deref);
}
-static void
+static void
squid_ldap_set_referrals(LDAP * ld, int referrals)
{
int *value = referrals ? LDAP_OPT_ON : LDAP_OPT_OFF;
ldap_set_option(ld, LDAP_OPT_REFERRALS, value);
}
static void
-squid_ldap_set_timelimit(LDAP *ld, int timelimit)
+squid_ldap_set_timelimit(LDAP * ld, int timelimit)
{
ldap_set_option(ld, LDAP_OPT_TIMELIMIT, timelimit);
}
static void
-squid_ldap_set_connect_timeout(LDAP *ld, int timelimit)
+squid_ldap_set_connect_timeout(LDAP * ld, int timelimit)
{
#if defined(LDAP_OPT_NETWORK_TIMEOUT)
struct timeval tv;
@@ -115,23 +122,24 @@
ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, timelimit);
#endif
}
-static void
+static void
squid_ldap_memfree(char *p)
{
ldap_memfree(p);
}
+
#else
-static int
+static int
squid_ldap_errno(LDAP * ld)
{
return ld-ld_errno;
}
-static void
+static void
squid_ldap_set_aliasderef(LDAP * ld, int deref)
{
ld-ld_deref = deref;
}
-static void
+static void
squid_ldap_set_referrals(LDAP * ld, int referrals)
{
if (referrals)
@@ -140,26 +148,27 @@
ld-ld_options = ~LDAP_OPT_REFERRALS;
}
static void
-squid_ldap_set_timelimit(LDAP *ld, int timelimit)
+squid_ldap_set_timelimit(LDAP * ld, int timelimit)
{
ld-ld_timelimit = timelimit;
}
static void
-squid_ldap_set_connect_timeout(LDAP *ld, int timelimit)
+squid_ldap_set_connect_timeout(LDAP * ld, int timelimit)
{
fprintf(stderr, Connect timeouts not supported in your LDAP library\n);
}
-static void
+static void
squid_ldap_memfree(char *p)
{
free(p);
}
+
#endif
#ifdef LDAP_API_FEATURE_X_OPENLDAP
- #if LDAP_VENDOR_VERSION 194
-#define HAS_URI_SUPPORT 1
- #endif
+#if LDAP_VENDOR_VERSION 194
+#define HAS_URI_SUPPORT 1
+#endif
#endif
static char *
@@ -218,6 +227,9 @@
int port = LDAP_PORT;
int use_extension_dn = 0;
int strip_nt_domain = 0;
+#if defined (CYRUS_SASL)
+int use_sasl_bind = 0;
+#endif
setbuf(stdout, NULL);
@@ -328,7 +340,7 @@
bindpasswd = value;
break;
case 'W':
- readSecret (value);
+ readSecret(value);
break;
case 'P':
persistent = !persistent;
@@ -372,12 +384,18 @@
case 'S':
strip_nt_domain = 1;
break;
+#if defined (CYRUS_SASL)
+ case 'k':
+ use_sasl_bind = 1;
+ break;
+#endif
default:
fprintf(stderr, PROGRAM_NAME ERROR: Unknown command line option '%c'\n, option);
exit(1);
}
}
+version = 3;
while (argc 1) {
char *value = argv[1];
if (ldapServer) {
@@ -425,6 +443,9 @@
#endif
fprintf(stderr, \t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n);
Re: ACL: request max body size
I don't understand. Max_CONN, for example, match when the ëstablished connections is greather than acl value, and my ACL have the same behavior, match when BODY SIZE is greather than acl value. and, yes... i am going to do the port to Squid-3. On Fri, Feb 13, 2004 at 08:36:47AM +0100, Henrik Nordstrom wrote: On Thu, 12 Feb 2004, Diego Woitasen (Lanux) wrote: Sorry, but... Is my patch OK? Almost. To be consistent with the other max_... acls (maxconn, max_user_ip) the condition should be inversed, matching unless above the maximum. Also there is the small issue about Squid-2.5 being a STABLE frozen release so if you could forward port the acl to Squid-3 it would be great. Regards Henrik -- Diego Woitasen LANUX
Re: ACL: request max body size
Sorry, but... Is my patch OK? On Thu, Feb 12, 2004 at 09:17:20PM +0100, Henrik Nordstrom wrote: On Fri, 13 Feb 2004, Robert Collins wrote: Perhaps it would be useful to consolidate with/replace request_body_max_size which already exists... When this gets merged then the old request_body_max_size should obviously be depreated in favor of the acl approach. Regards Henrik -- Diego Woitasen LANUX
patch: new ACL type
This patch add a new ACL type: max_body_size. This will be matched when the client's HTTP request body is greater than X bytes. Example: acl users max_body_size 10 Comments and suggestions are welcome... diff -Nur squid-2.5.STABLE4-20040208/src/acl.c squid-2.5.STABLE4-20040208-diegows/src/acl.c --- squid-2.5.STABLE4-20040208/src/acl.cThu Jan 15 04:43:57 2004 +++ squid-2.5.STABLE4-20040208-diegows/src/acl.cSun Feb 8 15:49:57 2004 @@ -178,6 +178,8 @@ return ACL_MAX_USER_IP; if (!strcmp(s, external)) return ACL_EXTERNAL; +if (!strcmp(s, max_body_size)) + return ACL_MAX_BODY_SIZE; if (!strcmp(s, urllogin)) return ACL_URLLOGIN; return ACL_NONE; @@ -254,6 +256,8 @@ return max_user_ip; if (type == ACL_EXTERNAL) return external; +if (type == ACL_MAX_BODY_SIZE) + return max_body_size; if (type == ACL_URLLOGIN) return urllogin; return ERROR; @@ -757,6 +761,7 @@ case ACL_SRC_ASN: case ACL_MAXCONN: case ACL_DST_ASN: +case ACL_MAX_BODY_SIZE: aclParseIntlist(A-data); break; case ACL_MAX_USER_IP: @@ -1587,6 +1592,8 @@ k = clientdbEstablished(checklist-src_addr, 0); return ((k ((intlist *) ae-data)-i) ? 1 : 0); /* NOTREACHED */ +case ACL_MAX_BODY_SIZE: + return ((r-content_length ((intlist *) ae-data)-i) ? 1 : 0); case ACL_URL_PORT: return aclMatchIntegerRange(ae-data, (int) r-port); /* NOTREACHED */ @@ -2149,6 +2156,9 @@ case ACL_MAXCONN: intlistDestroy((intlist **) a-data); break; + case ACL_MAX_BODY_SIZE: + intlistDestroy((intlist **) a-data); + break; case ACL_MAX_USER_IP: aclDestroyUserMaxIP(a-data); break; @@ -2557,6 +2567,7 @@ case ACL_SRC_ASN: case ACL_MAXCONN: case ACL_DST_ASN: +case ACL_MAX_BODY_SIZE: return aclDumpIntlistList(a-data); case ACL_MAX_USER_IP: return aclDumpUserMaxIP(a-data); diff -Nur squid-2.5.STABLE4-20040208/src/cf.data.pre squid-2.5.STABLE4-20040208-diegows/src/cf.data.pre --- squid-2.5.STABLE4-20040208/src/cf.data.pre Wed Feb 4 14:42:28 2004 +++ squid-2.5.STABLE4-20040208-diegows/src/cf.data.pre Sun Feb 8 19:29:05 2004 @@ -2082,6 +2082,10 @@ # effect in rules that affect the reply data stream such as # http_reply_access. + acl aclname max_body_size bytes + # This will be matched when the client's HTTP Request Body is + # greater than bytes. + acl acl_name external class_name [arguments...] # external ACL lookup via a helper class defined by the # external_acl_type directive. diff -Nur squid-2.5.STABLE4-20040208/src/enums.h squid-2.5.STABLE4-20040208-diegows/src/enums.h --- squid-2.5.STABLE4-20040208/src/enums.h Wed Feb 4 14:42:28 2004 +++ squid-2.5.STABLE4-20040208-diegows/src/enums.h Sun Feb 8 15:34:06 2004 @@ -137,6 +137,7 @@ ACL_MAX_USER_IP, ACL_EXTERNAL, ACL_URLLOGIN, +ACL_MAX_BODY_SIZE, ACL_ENUM_MAX } squid_acl;
Sattelite Connections
Some body knows a project that implement a optimizations in Internet Satellite connections. For example, to avoid multiple request for get a page. The sattelite ISP provides a software called RPA, that GET a page in online one request. Is this possible with squid or is possible to implement with a parent-sibling relatioship? Thanks?! -- Diego Woitasen LANUX
DEFAULT and DEFAULT_IF_NONE
In cf.data.pre, what's the difference between DEFAULT and DEFAULT_IF_NONE?
Support for bogus clients (again)
This is the patch (indent 1.9.1) and apply to squid-2.5 CVS.
Changes:
-support for bogus clients in authentication, forcing the use
of some scheme for some clients with acls.
-authenticateAuthSchemeConfigure() renamed to
authenticateAuthSchemeActive().
-New authenticateAuthSchemeConfigure() function.
authentication example:
acl basic_auth proxy_auth -b REQUIRED
acl ntlm_auth proxy_auth -n REQUIRED
acl ip1 src 10.10.10.10
acl ip2 src 10.10.10.11
http_access allow ip1 basic_auth
http_access allow ip2 ntlm_auth
..then the basic auth is offered to ip1 and ntlm if offered to ip2
(in authenticateFixHeader()).
Please check this and apply if it is OK or tell me how can I do this better, i thinks
that it is necessary.
Thanks!
diff -Nru squid-2.5/src/acl.c squid-2.5-ws/src/acl.c
--- squid-2.5/src/acl.c Mon May 12 04:24:37 2003
+++ squid-2.5-ws/src/acl.c Sun Sep 7 13:37:50 2003
@@ -628,11 +628,33 @@
}
data = *current;
Top = data-names;
-if ((t = strtokFile())) {
- debug(28, 5) (aclParseUserList: First token is %s\n, t);
+data-flags.schemeid = -1;
+while ((t = strtokFile())) {
+ debug(28, 5) (aclParseUserList: token is %s\n, t);
if (strcmp(-i, t) == 0) {
debug(28, 5) (aclParseUserList: Going case-insensitive\n);
data-flags.case_insensitive = 1;
+ } else if (strcmp(-b, t) == 0) {
+ if (!authenticateAuthSchemeConfigured(basic)) {
+ debug(28, 5) (aclParseUserList: -b switch ignored, basic auth not
configured\n);
+ continue;
+ }
+ debug(28, 5) (aclParseUserList: using basic auth\n);
+ data-flags.schemeid = authenticateAuthSchemeId(basic);
+ } else if (strcmp(-n, t) == 0) {
+ if (!authenticateAuthSchemeConfigured(ntlm)) {
+ debug(28, 5) (aclParseUserList: -n switch ignored, ntlm auth not
configured\n);
+ continue;
+ }
+ debug(28, 5) (aclParseUserList: using ntlm auth\n);
+ data-flags.schemeid = authenticateAuthSchemeId(ntlm);
+ } else if (strcmp(-d, t) == 0) {
+ if (!authenticateAuthSchemeConfigured(digest)) {
+ debug(28, 5) (aclParseUserList: -d switch ignored, digest auth not
configured\n);
+ continue;
+ }
+ debug(28, 5) (aclParseUserList: using digest auth\n);
+ data-flags.schemeid = authenticateAuthSchemeId(digest);
} else if (strcmp(REQUIRED, t) == 0) {
debug(28, 5) (aclParseUserList: REQUIRED-type enabled\n);
data-flags.required = 1;
@@ -644,15 +666,9 @@
}
debug(28, 3) (aclParseUserList: Case-insensitive-switch is %d\n,
data-flags.case_insensitive);
-/* we might inherit from a previous declaration */
-
-debug(28, 4) (aclParseUserList: parsing user list\n);
-while ((t = strtokFile())) {
- debug(28, 6) (aclParseUserList: Got token: %s\n, t);
- if (data-flags.case_insensitive)
- Tolower(t);
- Top = splay_insert(xstrdup(t), Top, (SPLAYCMP *) strcmp);
-}
+debug(28, 3) (aclParseUserList: scheme ID is %d\n, data-flags.schemeid);
+/* we might inherit from a previous declaration, (?, [EMAIL PROTECTED]) */
+debug(28, 4) (aclParseUserList: user list parsed \n);
data-names = Top;
}
@@ -1695,6 +1711,7 @@
int answer;
checklist-current_acl = list-acl;
AclMatchedName = list-acl-name;
+ AclMatched = list-acl;
debug(28, 3) (aclMatchAclList: checking %s%s\n,
list-op ? null_string : !, list-acl-name);
answer = aclMatchAcl(list-acl, checklist);
diff -Nru squid-2.5/src/authenticate.c squid-2.5-ws/src/authenticate.c
--- squid-2.5/src/authenticate.cSun May 18 18:49:19 2003
+++ squid-2.5-ws/src/authenticate.c Sun Sep 7 18:53:25 2003
@@ -56,9 +56,8 @@
/* Generic Functions */
-
static int
-authenticateAuthSchemeConfigured(const char *proxy_auth)
+authenticateAuthSchemeActive(const char *proxy_auth)
{
authScheme *scheme;
int i;
@@ -71,6 +70,7 @@
return 0;
}
+
int
authenticateAuthSchemeId(const char *typestr)
{
@@ -90,7 +90,7 @@
assert(proxy_auth != NULL);
assert(auth_user_request != NULL); /* we need this created for us. */
debug(29, 9) (authenticateDecodeAuth: header = '%s'\n, proxy_auth);
-if (authenticateAuthSchemeConfigured(proxy_auth)) {
+if (authenticateAuthSchemeActive(proxy_auth)) {
/* we're configured to use this scheme - but is it active ? */
if ((i = authenticateAuthSchemeId(proxy_auth)) != -1) {
authscheme_list[i].decodeauth(auth_user_request, proxy_auth);
@@ -733,14 +733,26 @@
else {
int i;
authScheme *scheme;
- /* call each configured running authscheme */
- for (i = 0; i Config.authConfig.n_configured; i++) {
- scheme =
Re: Patch for bogus clients en authentication
On Sat, Sep 06, 2003 at 07:38:00AM +1000, Robert Collins wrote:
On Sat, 2003-09-06 at 01:18, Diego Woitasen wrote:
This patch add 3 switch to acl proxy_auth to force a authentication
scheme to bogus clients, like IE and Messenger (see squid.conf help).
Please somebody can check this and send me your opinion.
Please run
indent -br -ce -i4 -ci4 -l80 -nlp -npcs -npsl -d0 -sc -di0 -psl
over your modified files to remove whitespace changes, and then
regenerate the patch.
Thank you,
Rob
--
GPG key available at: http://members.aardvark.net.au/lifeless/keys.txt.
ups! sorry. This is the right patch (indent 1.9.1) and apply to
squid-2.5 CVS.
Changes:
-support for bogus clients in authentication.
-authenticateAuthSchemeConfigure() renamed to
authenticateAuthSchemeActive().
-New authenticateAuthSchemeConfigure() function.
Please check this and apply if it is OK or tell me how can I do this
better...
Thanks!
Diego Woitasen
LUGAR - Linux Users Group Argentina
diff -Nru squid-2.5/src/acl.c squid-2.5-ws/src/acl.c
--- squid-2.5/src/acl.c Mon May 12 04:24:37 2003
+++ squid-2.5-ws/src/acl.c Sun Sep 7 13:37:50 2003
@@ -628,11 +628,33 @@
}
data = *current;
Top = data-names;
-if ((t = strtokFile())) {
- debug(28, 5) (aclParseUserList: First token is %s\n, t);
+data-flags.schemeid = -1;
+while ((t = strtokFile())) {
+ debug(28, 5) (aclParseUserList: token is %s\n, t);
if (strcmp(-i, t) == 0) {
debug(28, 5) (aclParseUserList: Going case-insensitive\n);
data-flags.case_insensitive = 1;
+ } else if (strcmp(-b, t) == 0) {
+ if (!authenticateAuthSchemeConfigured(basic)) {
+ debug(28, 5) (aclParseUserList: -b switch ignored, basic auth not
configured\n);
+ continue;
+ }
+ debug(28, 5) (aclParseUserList: using basic auth\n);
+ data-flags.schemeid = authenticateAuthSchemeId(basic);
+ } else if (strcmp(-n, t) == 0) {
+ if (!authenticateAuthSchemeConfigured(ntlm)) {
+ debug(28, 5) (aclParseUserList: -n switch ignored, ntlm auth not
configured\n);
+ continue;
+ }
+ debug(28, 5) (aclParseUserList: using ntlm auth\n);
+ data-flags.schemeid = authenticateAuthSchemeId(ntlm);
+ } else if (strcmp(-d, t) == 0) {
+ if (!authenticateAuthSchemeConfigured(digest)) {
+ debug(28, 5) (aclParseUserList: -d switch ignored, digest auth not
configured\n);
+ continue;
+ }
+ debug(28, 5) (aclParseUserList: using digest auth\n);
+ data-flags.schemeid = authenticateAuthSchemeId(digest);
} else if (strcmp(REQUIRED, t) == 0) {
debug(28, 5) (aclParseUserList: REQUIRED-type enabled\n);
data-flags.required = 1;
@@ -644,15 +666,9 @@
}
debug(28, 3) (aclParseUserList: Case-insensitive-switch is %d\n,
data-flags.case_insensitive);
-/* we might inherit from a previous declaration */
-
-debug(28, 4) (aclParseUserList: parsing user list\n);
-while ((t = strtokFile())) {
- debug(28, 6) (aclParseUserList: Got token: %s\n, t);
- if (data-flags.case_insensitive)
- Tolower(t);
- Top = splay_insert(xstrdup(t), Top, (SPLAYCMP *) strcmp);
-}
+debug(28, 3) (aclParseUserList: scheme ID is %d\n, data-flags.schemeid);
+/* we might inherit from a previous declaration, (?, [EMAIL PROTECTED]) */
+debug(28, 4) (aclParseUserList: user list parsed \n);
data-names = Top;
}
@@ -1695,6 +1711,7 @@
int answer;
checklist-current_acl = list-acl;
AclMatchedName = list-acl-name;
+ AclMatched = list-acl;
debug(28, 3) (aclMatchAclList: checking %s%s\n,
list-op ? null_string : !, list-acl-name);
answer = aclMatchAcl(list-acl, checklist);
diff -Nru squid-2.5/src/authenticate.c squid-2.5-ws/src/authenticate.c
--- squid-2.5/src/authenticate.cSun May 18 18:49:19 2003
+++ squid-2.5-ws/src/authenticate.c Sun Sep 7 18:53:25 2003
@@ -56,9 +56,8 @@
/* Generic Functions */
-
static int
-authenticateAuthSchemeConfigured(const char *proxy_auth)
+authenticateAuthSchemeActive(const char *proxy_auth)
{
authScheme *scheme;
int i;
@@ -71,6 +70,7 @@
return 0;
}
+
int
authenticateAuthSchemeId(const char *typestr)
{
@@ -90,7 +90,7 @@
assert(proxy_auth != NULL);
assert(auth_user_request != NULL); /* we need this created for us. */
debug(29, 9) (authenticateDecodeAuth: header = '%s'\n, proxy_auth);
-if (authenticateAuthSchemeConfigured(proxy_auth)) {
+if (authenticateAuthSchemeActive(proxy_auth)) {
/* we're configured to use this scheme - but is it active ? */
if ((i = authenticateAuthSchemeId(proxy_auth)) != -1) {
authscheme_list[i].decodeauth(auth_user_request, proxy_auth);
@@ -733,14 +733,26
Re: Authentication
ok, i 'm reading the code now, it's some confusing in principle but I going to try to do it. I will inform any news... El dom, 10 de 08 de 2003 a las 04:30, Robert Collins escribi: On Sun, 2003-08-10 at 17:15, Henrik Nordstrom wrote: What whould be a great idea to work on is the ability to have different authentication domains, each with their own auth_param settings. This would solve many things, including busted clients, but more importanly situations where different authenitcation realms is needed depending on the request/client. Yah, as a general purpose solution, I'm all for this. It requires much deeper work than that which this thread started with... We need separate auth caches. We need auth cache association by acl during the request process. We need the auth modules to remove all their current static data. In other words - this is on my long term 'do sometime' list. I'm more than happy to do it as a commercial contract if someone needs it done before 'sometime' :}. Cheers, Rob
Authentication
Well, I 'm working now to the authentication framework to work in the same way that external acls, with names. For example: auth_param auth1 basic program /blah/blah/bin ... auth_param auth2 ntlm program /blah/blah/bin2 ... acl pass1 proxy_auth auth1 REQUIRED acl pass2 proxy_auth auth2 REQUIRED acl msn browser -i messenger acl ie browser -i explorer http_access allow msn pass1 http_access allow ie pass2 This is because (in this example) msn is not working with ntlm auth and i need that msn auth. against a basic authentication. I want to hear comments about this... -- Diego Woitasen LUGAR
