Re: [squid-users] Authorization in a different way
I do not know if an old idea of mine will be good for you but... I will write it anyway. The basic way to do what you want is to use some kind of authentication in the session level and not the IP but.. You can use some "keep-alive" page which will use some JS to re-authenticate every couple seconds or minutes. The service like in TCP will assume that the connection is available as long as the client JS ran in the last couple seconds\minutes. It can help you to allow a specific user to use a specific IP address as long as the JS runs. And if the user was not authenticated to the other service (which can run in https) for a period of time the session helper will not allow any other new session to pass in. Hope it will help you. Eliezer On 13/01/2016 18:35, Christian Kunkel wrote: Hey guys, i need a way to autheticate or authorize users to my squid server so i can create some kind of a session and drop users after x hours they have been using my proxy. important thing would be to create only one session per user. i do not have access to users network. they are connecting from the internet and they also have nated ips. i thought about the classic way with http headers but i run into problems with some devices. so thats useless for me. to use the ip adress is also not possible because it would authorize a lot of ppl at once if they are behind a nat. thats not what i want. i only can add a proxy adress and a port to the devices which are connecting. right now i am using a unique port for every user. then redirect the port to a splash screen with a login form. when login is is successfull it triggers an iptables-script which redirects that port to squid. but that means every one can actually use that port after someone successfully logged in. i am using squid 3.5.13 on debian 8. some hints would be awesome. thanks in advance guys :) Kind regards, Chris ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Authorization in a different way
On 14/01/2016 6:50 a.m., Christian Kunkel wrote: > hey amos, > > maybe my english is too bad or maybe i am just not getting it. i can > not use any kind of ip as authentication or authorization. first of > all because of nat and second would be that the ip of a user changes > regarding his location (mobile network). The only mention I made of IPs was how your iptables rules need to be more restrictive to reduce the abuse that is possible. > > my understanding of ext_session_acl is or was that it uses an ip to > create the session?! so if ip changes the session is dropped (can > happen every 5min or when i am lucky the ip does not change for a > couple of hours). > Both session helpers we provide use the external_acl directives 'format' field as the session key. The basic session helper only accepts one parameter value in the format, the SQL-session helper accepts any number. Online tutorials tend to use %SRC (IP address), our man page actually uses %LOGIN (auth username). You will just need to use something else. The helper does not care, its just needing a unique per-session piece of text. If you need more than one token to make up the key use the sql_session helper. It also fits in better with the splash page doing "login", since that splash page script will need to be the part doing session creation in the DB. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Authorization in a different way
hey amos, maybe my english is too bad or maybe i am just not getting it. i can not use any kind of ip as authentication or authorization. first of all because of nat and second would be that the ip of a user changes regarding his location (mobile network). my understanding of ext_session_acl is or was that it uses an ip to create the session?! so if ip changes the session is dropped (can happen every 5min or when i am lucky the ip does not change for a couple of hours). > Am 13.01.2016 um 17:53 schrieb Amos Jeffries : > >> On 14/01/2016 5:35 a.m., Christian Kunkel wrote: >> Hey guys, >> >> i need a way to autheticate or authorize users to my squid server so >> i can create some kind of a session and drop users after x hours they >> have been using my proxy. important thing would be to create only one >> session per user. i do not have access to users network. they are >> connecting from the internet and they also have nated ips. i thought >> about the classic way with http headers but i run into problems with >> some devices. so thats useless for me. to use the ip adress is also >> not possible because it would authorize a lot of ppl at once if they >> are behind a nat. thats not what i want. i only can add a proxy >> adress and a port to the devices which are connecting. right now i am >> using a unique port for every user. then redirect the port to a >> splash screen with a login form. when login is is successfull it >> triggers an iptables-script which redirects that port to squid. but >> that means every one can actually use that port after someone >> successfully logged in. > > Then your iptables script is redirecting wrong. It should only add rules > to redirect a specific src-IP / dst-port pair. > >> >> i am using squid 3.5.13 on debian 8. >> >> some hints would be awesome. thanks in advance guys :) > > Use the ext_session_acl helper or ext_session_sql_acl helper with "user" > login as the session key / helper format. > > If you were using HTTP authentication the key would be %LOGIN. Since you > are not it will be whatever you are using to identify the "user" within > Squid. > > Amos > > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Authorization in a different way
On 14/01/2016 5:35 a.m., Christian Kunkel wrote: > Hey guys, > > i need a way to autheticate or authorize users to my squid server so > i can create some kind of a session and drop users after x hours they > have been using my proxy. important thing would be to create only one > session per user. i do not have access to users network. they are > connecting from the internet and they also have nated ips. i thought > about the classic way with http headers but i run into problems with > some devices. so thats useless for me. to use the ip adress is also > not possible because it would authorize a lot of ppl at once if they > are behind a nat. thats not what i want. i only can add a proxy > adress and a port to the devices which are connecting. right now i am > using a unique port for every user. then redirect the port to a > splash screen with a login form. when login is is successfull it > triggers an iptables-script which redirects that port to squid. but > that means every one can actually use that port after someone > successfully logged in. Then your iptables script is redirecting wrong. It should only add rules to redirect a specific src-IP / dst-port pair. > > i am using squid 3.5.13 on debian 8. > > some hints would be awesome. thanks in advance guys :) > Use the ext_session_acl helper or ext_session_sql_acl helper with "user" login as the session key / helper format. If you were using HTTP authentication the key would be %LOGIN. Since you are not it will be whatever you are using to identify the "user" within Squid. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users