RE: [squid-users] Disable user accounts
I created my own authentication module, and tried setting nonce_max_duration to "1 minutes" (I also tried "1 minute", and "2 minutes" to make sure there wasn't something funky with the word minutes). My authentication module logs every time it is called. But when I sit there and hit refresh on the browser every ~15 seconds, I don't get any re-authentication calls being made to the auth module (only the initial authentication). I've kept this test up for over 5 min with no re-authentication attempts to the auth module. Did I mis-understand something possibly? Or is nonce_max_duration not actually causing re-authentication to the auth_module (perhaps it just sticks within the cached authentication in squid?) So far the only two ways to lock out users that I understand are the nonce_max_duration (if I can make it work as I currently understand it should), and banned user list ACLs w/ "-k reload" calls. If anyone thinks I'm missing anything else let me know. Thanks, Dave Quote from a previous email: > nonce_max_duration determines how long the nonces may be used for. > It's closer to what you are wanting, but I'm not sure of there are any nasty side effects of setting it too low.
RE: [squid-users] Disable user accounts
On Mon, 22 Mar 2010 16:26:26 -0600, "David Parks" wrote: > So, if I understand correctly, squid has no way for me to force a user > account to be expired or cleared prematurely. Setting the > nonce_max_duration > low wouldn't block a user with a constant stream of traffic, say watching a > video for example. Even obsolete auth details won't block an existing stream. The key word there is "prematurely". > > If the above statements are correct, then do you have any thoughts on how They are not quite. > challenging a change like this would be at the code level? For example, > having a command similar to "squid -k reconfigure" (e.g. "squid -r > user_to_expire") in which case squid would simply expire the given > credentials, thus "tricking" squid into re-authenticating on demand? -k reconfigure and -k restart will break client connections in current Squid. > > If user credentials are simply a table in memory this seems conceptually > simple to accomplish. Though I'm a java developer and haven't touched C/++ > in many years, so I'm not sure this is worth considering unless you think > it's as simple as it seems like it could be. The user credentials are tagged data associated with each request. They exist for as long as the request is ongoing. Some are also attached to specific TCP connections and live as long as the connection or until new auth data is received inside the connection. I say you statements above are "not quite" because of this: http://wiki.squid-cache.org/Features/Authentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F > > Thanks! > Dave > > p.s. my purpose in following this line of questioning is to monitor log > files for per user traffic, and after a user exceeds their data transfer > quota, I need to block further access. I don't want to slow access for > users > within their quota. > Real quota control is something that has long been wanted in Squid and the groundwork has almost finished being laid into 3.2 but nobody yet has the time to actually implement the feature. http://wiki.squid-cache.org/Features/Quota Amos
RE: [squid-users] Disable user accounts
So, if I understand correctly, squid has no way for me to force a user
account to be expired or cleared prematurely. Setting the nonce_max_duration
low wouldn't block a user with a constant stream of traffic, say watching a
video for example.
If the above statements are correct, then do you have any thoughts on how
challenging a change like this would be at the code level? For example,
having a command similar to "squid -k reconfigure" (e.g. "squid -r
user_to_expire") in which case squid would simply expire the given
credentials, thus "tricking" squid into re-authenticating on demand?
If user credentials are simply a table in memory this seems conceptually
simple to accomplish. Though I'm a java developer and haven't touched C/++
in many years, so I'm not sure this is worth considering unless you think
it's as simple as it seems like it could be.
Thanks!
Dave
p.s. my purpose in following this line of questioning is to monitor log
files for per user traffic, and after a user exceeds their data transfer
quota, I need to block further access. I don't want to slow access for users
within their quota.
-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz]
Sent: Monday, March 22, 2010 12:35 AM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Disable user accounts
David Parks wrote:
> I will be monitoring squid usage logs and need to disable user
> accounts from an external app (block them from making use of the proxy
> after they are authenticated).
>
> I'm not quite following the FAQ on this
> (http://wiki.squid-cache.org/Features/Authentication?action=show&redir
> ect=SquidFaq/ProxyAuthentication#How_do_I_ask_for_authentication_of_an
> _already_authenticated_user.3F) because I don't have any criteria on
> which the ACL might force a re-negotiation (or I just don't understand
> the proposed solution).
Re-challenge is automatic whenever a new request needs to be authed and the
currently known credentials are unknown or too old to be used.
>
> I'm also not clear if ("nonce_garbage_interval") and
> ("nonce_max_duration") are actually forcing a password check against
> the authentication module, or if they are just dealing with the
> nuances of the digest authentication protocol. I have them set to
garbage collection only removes things known to be dead already. The garbage
interval determines how often the memory caches are cleaned out above and
beyond the regular as-used cleanings.
nonce_max_duration determines how long the nonces may be used for.
It's closer to what you are wanting, but I'm not sure of there are any nasty
side effects of setting it too low.
> their defaults, but after making a change to the password file that
> digest_pw_auth helper uses, I do not get challenged for the updated
> password. Could it just be that digest_pw_auth didn't re-read the
> password file after I made the change?
Yes.
>
> Thanks! David
>
>
> p.s. thanks for all of the responses to this point, I haven't replied
> as such with a "thanks", but the help on this user group is fantastic
> and is really appreciated, particularly Amos, you're a god-send!
Welcome.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
Current Beta Squid 3.1.0.18
Re: [squid-users] Disable user accounts
David Parks wrote:
I will be monitoring squid usage logs and need to disable user
accounts from an external app (block them from making use of the
proxy after they are authenticated).
I'm not quite following the FAQ on this
(http://wiki.squid-cache.org/Features/Authentication?action=show&redirect=SquidFaq/ProxyAuthentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F)
because I don't have any criteria on which the ACL might force a
re-negotiation (or I just don't understand the proposed solution).
Re-challenge is automatic whenever a new request needs to be authed and
the currently known credentials are unknown or too old to be used.
I'm also not clear if ("nonce_garbage_interval") and
("nonce_max_duration") are actually forcing a password check against
the authentication module, or if they are just dealing with the
nuances of the digest authentication protocol. I have them set to
garbage collection only removes things known to be dead already. The
garbage interval determines how often the memory caches are cleaned out
above and beyond the regular as-used cleanings.
nonce_max_duration determines how long the nonces may be used for.
It's closer to what you are wanting, but I'm not sure of there are any
nasty side effects of setting it too low.
their defaults, but after making a change to the password file that
digest_pw_auth helper uses, I do not get challenged for the updated
password. Could it just be that digest_pw_auth didn't re-read the
password file after I made the change?
Yes.
Thanks! David
p.s. thanks for all of the responses to this point, I haven't replied
as such with a "thanks", but the help on this user group is fantastic
and is really appreciated, particularly Amos, you're a god-send!
Welcome.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
Current Beta Squid 3.1.0.18
[squid-users] Disable user accounts
I will be monitoring squid usage logs and need to disable user accounts from an
external app (block them from making use of the proxy after they are
authenticated).
I'm not quite following the FAQ on this
(http://wiki.squid-cache.org/Features/Authentication?action=show&redirect=SquidFaq/ProxyAuthentication#How_do_I_ask_for_authentication_of_an_already_authenticated_user.3F)
because I don't have any criteria on which the ACL might force a
re-negotiation (or I just don't understand the proposed solution).
I'm also not clear if ("nonce_garbage_interval") and ("nonce_max_duration") are
actually forcing a password check against the authentication module, or if they
are just dealing with the nuances of the digest authentication protocol. I have
them set to their defaults, but after making a change to the password file that
digest_pw_auth helper uses, I do not get challenged for the updated password.
Could it just be that digest_pw_auth didn't re-read the password file after I
made the change?
Thanks!
David
p.s. thanks for all of the responses to this point, I haven't replied as such
with a "thanks", but the help on this user group is fantastic and is really
appreciated, particularly Amos, you're a god-send!
