RE: [squid-users] Disable user accounts
I created my own authentication module, and tried setting nonce_max_duration to "1 minutes" (I also tried "1 minute", and "2 minutes" to make sure there wasn't something funky with the word minutes). My authentication module logs every time it is called. But when I sit there and hit refresh on the browser every ~15 seconds, I don't get any re-authentication calls being made to the auth module (only the initial authentication). I've kept this test up for over 5 min with no re-authentication attempts to the auth module. Did I mis-understand something possibly? Or is nonce_max_duration not actually causing re-authentication to the auth_module (perhaps it just sticks within the cached authentication in squid?) So far the only two ways to lock out users that I understand are the nonce_max_duration (if I can make it work as I currently understand it should), and banned user list ACLs w/ "-k reload" calls. If anyone thinks I'm missing anything else let me know. Thanks, Dave Quote from a previous email: > nonce_max_duration determines how long the nonces may be used for. > It's closer to what you are wanting, but I'm not sure of there are any nasty side effects of setting it too low.
RE: [squid-users] Disable user accounts
On Mon, 22 Mar 2010 16:26:26 -0600, "David Parks" wrote: > So, if I understand correctly, squid has no way for me to force a user > account to be expired or cleared prematurely. Setting the > nonce_max_duration > low wouldn't block a user with a constant stream of traffic, say watching a > video for example. Even obsolete auth details won't block an existing stream. The key word there is "prematurely". > > If the above statements are correct, then do you have any thoughts on how They are not quite. > challenging a change like this would be at the code level? For example, > having a command similar to "squid -k reconfigure" (e.g. "squid -r > user_to_expire") in which case squid would simply expire the given > credentials, thus "tricking" squid into re-authenticating on demand? -k reconfigure and -k restart will break client connections in current Squid. > > If user credentials are simply a table in memory this seems conceptually > simple to accomplish. Though I'm a java developer and haven't touched C/++ > in many years, so I'm not sure this is worth considering unless you think > it's as simple as it seems like it could be. The user credentials are tagged data associated with each request. They exist for as long as the request is ongoing. Some are also attached to specific TCP connections and live as long as the connection or until new auth data is received inside the connection. I say you statements above are "not quite" because of this: http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F > > Thanks! > Dave > > p.s. my purpose in following this line of questioning is to monitor log > files for per user traffic, and after a user exceeds their data transfer > quota, I need to block further access. I don't want to slow access for > users > within their quota. > Real quota control is something that has long been wanted in Squid and the groundwork has almost finished being laid into 3.2 but nobody yet has the time to actually implement the feature. http://wiki.squid-cache.org/Features/Quota Amos
RE: [squid-users] Disable user accounts
So, if I understand correctly, squid has no way for me to force a user account to be expired or cleared prematurely. Setting the nonce_max_duration low wouldn't block a user with a constant stream of traffic, say watching a video for example. If the above statements are correct, then do you have any thoughts on how challenging a change like this would be at the code level? For example, having a command similar to "squid -k reconfigure" (e.g. "squid -r user_to_expire") in which case squid would simply expire the given credentials, thus "tricking" squid into re-authenticating on demand? If user credentials are simply a table in memory this seems conceptually simple to accomplish. Though I'm a java developer and haven't touched C/++ in many years, so I'm not sure this is worth considering unless you think it's as simple as it seems like it could be. Thanks! Dave p.s. my purpose in following this line of questioning is to monitor log files for per user traffic, and after a user exceeds their data transfer quota, I need to block further access. I don't want to slow access for users within their quota. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Monday, March 22, 2010 12:35 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Disable user accounts David Parks wrote: > I will be monitoring squid usage logs and need to disable user > accounts from an external app (block them from making use of the proxy > after they are authenticated). > > I'm not quite following the FAQ on this > (http://wiki.squid-cache.org/Features/Authentication?action=show&redir > ect=SquidFaq/ProxyAuthentication#How_do_I_ask_for_authentication_of_an > _already_authenticated_user.3F) because I don't have any criteria on > which the ACL might force a re-negotiation (or I just don't understand > the proposed solution). Re-challenge is automatic whenever a new request needs to be authed and the currently known credentials are unknown or too old to be used. > > I'm also not clear if ("nonce_garbage_interval") and > ("nonce_max_duration") are actually forcing a password check against > the authentication module, or if they are just dealing with the > nuances of the digest authentication protocol. I have them set to garbage collection only removes things known to be dead already. The garbage interval determines how often the memory caches are cleaned out above and beyond the regular as-used cleanings. nonce_max_duration determines how long the nonces may be used for. It's closer to what you are wanting, but I'm not sure of there are any nasty side effects of setting it too low. > their defaults, but after making a change to the password file that > digest_pw_auth helper uses, I do not get challenged for the updated > password. Could it just be that digest_pw_auth didn't re-read the > password file after I made the change? Yes. > > Thanks! David > > > p.s. thanks for all of the responses to this point, I haven't replied > as such with a "thanks", but the help on this user group is fantastic > and is really appreciated, particularly Amos, you're a god-send! Welcome. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18
Re: [squid-users] Disable user accounts
David Parks wrote: I will be monitoring squid usage logs and need to disable user accounts from an external app (block them from making use of the proxy after they are authenticated). I'm not quite following the FAQ on this (http://wiki.squid-cache.org/Features/Authentication?action=show&redirect=SquidFaq/ProxyAuthentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F) because I don't have any criteria on which the ACL might force a re-negotiation (or I just don't understand the proposed solution). Re-challenge is automatic whenever a new request needs to be authed and the currently known credentials are unknown or too old to be used. I'm also not clear if ("nonce_garbage_interval") and ("nonce_max_duration") are actually forcing a password check against the authentication module, or if they are just dealing with the nuances of the digest authentication protocol. I have them set to garbage collection only removes things known to be dead already. The garbage interval determines how often the memory caches are cleaned out above and beyond the regular as-used cleanings. nonce_max_duration determines how long the nonces may be used for. It's closer to what you are wanting, but I'm not sure of there are any nasty side effects of setting it too low. their defaults, but after making a change to the password file that digest_pw_auth helper uses, I do not get challenged for the updated password. Could it just be that digest_pw_auth didn't re-read the password file after I made the change? Yes. Thanks! David p.s. thanks for all of the responses to this point, I haven't replied as such with a "thanks", but the help on this user group is fantastic and is really appreciated, particularly Amos, you're a god-send! Welcome. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25 Current Beta Squid 3.1.0.18
[squid-users] Disable user accounts
I will be monitoring squid usage logs and need to disable user accounts from an external app (block them from making use of the proxy after they are authenticated). I'm not quite following the FAQ on this (http://wiki.squid-cache.org/Features/Authentication?action=show&redirect=SquidFaq/ProxyAuthentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F) because I don't have any criteria on which the ACL might force a re-negotiation (or I just don't understand the proposed solution). I'm also not clear if ("nonce_garbage_interval") and ("nonce_max_duration") are actually forcing a password check against the authentication module, or if they are just dealing with the nuances of the digest authentication protocol. I have them set to their defaults, but after making a change to the password file that digest_pw_auth helper uses, I do not get challenged for the updated password. Could it just be that digest_pw_auth didn't re-read the password file after I made the change? Thanks! David p.s. thanks for all of the responses to this point, I haven't replied as such with a "thanks", but the help on this user group is fantastic and is really appreciated, particularly Amos, you're a god-send!