Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
Op 21-feb.-2014, om 14:00 heeft Wim Ramakers het volgende geschreven: > There is however still one thing i need to fix, I need to pass the client ip > as parameter in the deny_info url. (to update the session db) > http://www.squid-cache.org/Versions/v3/3.4/cfgman/deny_info.html tells me to > use %i, but that returns a 0 instead of client ip > http://www.squid-cache.org/Versions/v3/3.1/cfgman/deny_info.html mentions no > URL FORMAT TAGS > How does it work in v3.1 to get the client ip? > Found a solution, in php i use $_SERVER['HTTP_X_FORWARDED_FOR’] to get the header, with squid set to 'forward_for on’.
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
Amos, I implemented a custom ‚session’ helper that checks ip’s and expire date, and used the acl order you gave in the regular session helper example. It works! The reason why the default session helper does not work is that not only my browser is sending requests, but also apps like Facebook and Twitter… so they get the error but I do not in my browser. Thanks to all who posted ideas here that got me on the right track! There is however still one thing i need to fix, I need to pass the client ip as parameter in the deny_info url. (to update the session db) http://www.squid-cache.org/Versions/v3/3.4/cfgman/deny_info.html tells me to use %i, but that returns a 0 instead of client ip http://www.squid-cache.org/Versions/v3/3.1/cfgman/deny_info.html mentions no URL FORMAT TAGS How does it work in v3.1 to get the client ip?
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
Op 21-feb.-2014, om 10:39 heeft FredB het volgende geschreven: > >> I now have implemented FredB’s idea into my own basic helper in php, >> which says ERR when the credential expire date time is in the past. >> That seems to work also for iPads :) >> That expire date time can be set (to now + xx min) via a php page and >> correct credentials. >> > > Can you post your helper somewhere ? What about performance with many users ? > > Fred No idea about performance yet… I’ve set up a web server on the proxy which checks credentials with an external db or ldap and if correct fills the mysql db for the helper (fields: username password expirationdatetime), the helper code is below. For now i just check all entries of a username and password, but removing the record when it is expired is a to-do item, then the foreach can be replaced by a single check. 'SET NAMES utf8', ); $dbh = new PDO($dsn, $username, $password, $options); $stmt = $dbh->prepare('SELECT * from authorizedclients WHERE usr=:usr AND pwd=:pwd'); #$stmt = $dbh->prepare('SELECT * from authorizedclients'); $stmt->bindParam(':usr', $user); $stmt->bindParam(':pwd', $pass); $stmt->execute(); $results = $stmt->fetchAll(); $res=false; foreach($results as $row) { if(new DateTime($row['expires-after'])> new DateTime()) { fwrite(STDOUT, "OK\n"); $res = true; } } if(!$res){fwrite(STDOUT, "ERR\n");} } else { fwrite(STDOUT, "ERR\n"); } } ?>
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
> I now have implemented FredB’s idea into my own basic helper in php, > which says ERR when the credential expire date time is in the past. > That seems to work also for iPads :) > That expire date time can be set (to now + xx min) via a php page and > correct credentials. > Can you post your helper somewhere ? What about performance with many users ? Fred
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
On 2014-02-21 03:39, Wim Ramakers wrote: I now have implemented FredB’s idea into my own basic helper in php, which says ERR when the credential expire date time is in the past. That seems to work also for iPads :) That expire date time can be set (to now + xx min) via a php page and correct credentials. Working fine, except for the fact that I now want to present the user the page to activate his credentials every 30min… My target workflow is that when a user tries to access a page he is not allowed to he will FIRST get the credential expire time update page where he can activate a ticket for a specified time THEN when he tries again he must get the basic auth popup where his credentials will work now. The user may not first get the auth popup and need to know by himself he has to go to the credential expire time update page first. I’ve tried some deny and allow rules with my acl's, but can’t find the good combination. If I could have the user redirect automatically to the credential expire time update page every xx minutes, that would solve my problem. For that you check the session helper before the auth helper. acl loginCheck proxy_auth REQUIRED acl sessionPage external deny_info ... sessionPage # check if session has expired and show that page http_access deny !sessionPage # check if provided credentials are still valid http_access deny !loginCheck NP: session page should even be able to be passed the old Proxy-Authentication header to see the old credentials as they expire. Another question: the debian package of squid I use is v3.1.20, which has the old session helper and only has only -t (timeout time) and not -T (always after time) parameter. Is it possible to just add the new helper to my squid version (can i download it from somewhere?)? Yes. The helper and Squid are separate programs. Except in a few cases where we are updating the communication between them in lock-step they are completely independent. If the updated helper is one which is provided with Squid you can download and build the latest squid code then copy the built helper binary into your system libexec directory with the older ones. Note that the mention of LOGIN/LOGOUT in the -T option description is referring to the session "LOGIN" URL being fetched. It has nothing to do with HTTP login popups by the browser. You may be better off using the SQL-session helper from squid-3.4. It does not manage login/logout states itself, but relies on the session page being scripted to update an SQL database for whether the credentials it is checking are valid. You can use the basic_db_auth helper to check the same SQL database for HTTP login (and the popups). It is a perl script, so: * select "download file" at http://bazaar.launchpad.net/~squid/squid/3.4/view/head:/helpers/external_acl/SQL_session/ext_sql_session_acl.pl.in * save without the ".in" suffix, and * change @PERL@ at the top of the script to your systems bin/perl path. * assign execution permissions (chmod +x) to the script * update your squid.conf and reconfigure Squid Or should I just make my own external helper for the sessions? in the basic auth helper i get the username and password, but what do i get with the external helpers? just the name? When do I return which value? That depends on your squid version. Squid-3.4 adds annotation support, so you can get anything you like out of the helpers. With Squid-3.1 you get only username out of auth helpers and a few limited tag=, log=, message=, user=, password= out of the external ACL ones. Note the external_ACL user= and password= results are not authentication credentials. They are authorization labels instead. Amos
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
I now have implemented FredB’s idea into my own basic helper in php, which says ERR when the credential expire date time is in the past. That seems to work also for iPads :) That expire date time can be set (to now + xx min) via a php page and correct credentials. Working fine, except for the fact that I now want to present the user the page to activate his credentials every 30min… My target workflow is that when a user tries to access a page he is not allowed to he will FIRST get the credential expire time update page where he can activate a ticket for a specified time THEN when he tries again he must get the basic auth popup where his credentials will work now. The user may not first get the auth popup and need to know by himself he has to go to the credential expire time update page first. I’ve tried some deny and allow rules with my acl's, but can’t find the good combination. If I could have the user redirect automatically to the credential expire time update page every xx minutes, that would solve my problem. Another question: the debian package of squid I use is v3.1.20, which has the old session helper and only has only -t (timeout time) and not -T (always after time) parameter. Is it possible to just add the new helper to my squid version (can i download it from somewhere?)? Or should I just make my own external helper for the sessions? in the basic auth helper i get the username and password, but what do i get with the external helpers? just the name? When do I return which value? Wim
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
On Wed, Feb 19, 2014 at 4:29 AM, Wim Ramakers wrote: > Op 19-feb.-2014, om 11:20 heeft FredB het volgende > geschreven: > >> >>> Fred, have you ever tested your solution on a ios7 iPad with safari? >>> I’m seeing different behavior between my android 4.0 (chrome >>> browser) and my iPad. The android in general behaves more as >>> expected than the iPad. >>> >>> Wim >>> >>> >> >> Which differences exactly ? >> Only tested with Firefox and IE on PC >> > > On my android it seems to work, but on the iPad I never get asked for > re-authentication. > > In general topics about ios7 safari and proxy usage (not squid specific) I > read that some people have problems with the auth popup remains to pop up all > the time, while others complain about it NOT popping up… Would be nice if > someone can confirm if it works with ios7 safari on a iPad, if it is a > platform specific problem i can keep trying things for ages without finding a > solution. We only have a handful of Mac computers, but I recall one of them never asking for a password after it had been entered. I don't guess it somehow gets in Apple key chain and stays there does it? Not sure if the iPad has the key chain (I think that is what it was called) or not. -- Scott Mayo Mayo's Pioneer Seeds
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
Op 19-feb.-2014, om 11:20 heeft FredB het volgende geschreven: > >> Fred, have you ever tested your solution on a ios7 iPad with safari? >> I’m seeing different behavior between my android 4.0 (chrome >> browser) and my iPad. The android in general behaves more as >> expected than the iPad. >> >> Wim >> >> > > Which differences exactly ? > Only tested with Firefox and IE on PC > On my android it seems to work, but on the iPad I never get asked for re-authentication. In general topics about ios7 safari and proxy usage (not squid specific) I read that some people have problems with the auth popup remains to pop up all the time, while others complain about it NOT popping up… Would be nice if someone can confirm if it works with ios7 safari on a iPad, if it is a platform specific problem i can keep trying things for ages without finding a solution.
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
> Fred, have you ever tested your solution on a ios7 iPad with safari? > I’m seeing different behavior between my android 4.0 (chrome > browser) and my iPad. The android in general behaves more as > expected than the iPad. > > Wim > > Which differences exactly ? Only tested with Firefox and IE on PC
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
Fred, have you ever tested your solution on a ios7 iPad with safari? I’m seeing different behavior between my android 4.0 (chrome browser) and my iPad. The android in general behaves more as expected than the iPad. Wim
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
> Tried to compile it with patch applied but not yet working completely > (first time i tried compiling it myself). > I guess I’m doing something wrong because I don’t get the helpers > anywhere, but it seems to start the the helpers that came with my > squid3 debian package as well. (which is squid version 3.1.20) > > Squid now runs already, so I’m trying to configure everything again > so i get a auth popup that verifies my credentials with ldap… Ok good To avoid any problem, push errors/fr/* in /usr/share/squid3/errors/French/ src/DiskIO/DiskDaemon/diskd in /usr/lib/squid/ src/unlinkd in /usr/lib/squid/ src/squid in /usr/sbin/ tools/squidclient in /usr/sbin/ helpers/basic_auth/LDAP/basic_ldap_auth in /usr/lib/squid/ helpers/basic_auth/LDAP/squid_ldap_auth in /usr/lib/squid/ helpers/log_daemon/file/log_file_daemon in /usr/lib/squid/
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
Op 18-feb.-2014, om 13:45 heeft FredB het volgende geschreven: > Hi, > > I made a patch for BASIC ident for squid 3.3.11 > http://numsys.eu/divers/squid/auth.patch by adding a new state CRED_BANNED = > -3 > Beyond credentialsTTL value, there is a re-authentication with pop-up > > Hope this can help > > Fred I took at look at your patch, makes sense to me. Tried to compile it with patch applied but not yet working completely (first time i tried compiling it myself). I guess I’m doing something wrong because I don’t get the helpers anywhere, but it seems to start the the helpers that came with my squid3 debian package as well. (which is squid version 3.1.20) Squid now runs already, so I’m trying to configure everything again so i get a auth popup that verifies my credentials with ldap… Wim
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
Hi, I made a patch for BASIC ident for squid 3.3.11 http://numsys.eu/divers/squid/auth.patch by adding a new state CRED_BANNED = -3 Beyond credentialsTTL value, there is a re-authentication with pop-up Hope this can help Fred
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
Op 18-feb.-2014, om 11:53 heeft Amos Jeffries het volgende geschreven: > ... > The behaviour you are seeing is because the credentials are still valid > in the authentication database. > > NP: browsers do not provide any logout mechanism to users. The above > wiki page has an example of ACL configuration to force a change of > credentials. > > Amos Thank you for confirming that my findings are correct. I’m reading about the squid_session external_acl_type, would setting the deny_info page to an url that is not allowed for anyone (following the force-reauthentication-hack) solve my problem and trigger a popup after the session time? The force method works as expected, so if i could just redirect the user into that direction automatically that would be great! Wim
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
On 18/02/2014 5:43 a.m., Scott Mayo wrote: > On Mon, Feb 17, 2014 at 10:39 AM, Wim Ramakers > wrote: >> I forgot to paste the line in the first post, I’ve set >> authenticate_cache_garbage_interval 5 minutes. >> >> Even after an hour I stayed authenticated, so I’ve changed it also to a >> lower value. > > > I am curious to this also then. I wonder if that is the browser. Is > there a setting for how often a browser asks for authentication? > > My assumption would be that the browser asks Squid for authentication. > Once it is authenticated with your LDAP, then it will not have to > authenticate again until the browser asks again. I may be totally > wrong though. > I think you are misunderstanding the authentication model in a big way. The browser is only asking Squid for access to a resource (via its URL). In a properly working authentication system the user will only be asked for credentials 0 or 1 times *total*. This goes for all authentication types. http://wiki.squid-cache.org/Features/Authentication#How_does_Proxy_Authentication_work_in_Squid.3F The behaviour you are seeing is because the credentials are still valid in the authentication database. NP: browsers do not provide any logout mechanism to users. The above wiki page has an example of ACL configuration to force a change of credentials. Amos
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
When I do a tcpdump and take a look at the raw packets I can see that squid does send a '407 Proxy Authentication Required’ back to the client, but then the magic happens… Next I see a '200 Connection established’ and some scrambled content (the page i request is https) and the page refreshes on my ipad, so safari handled the 407 by itself without any kind of notification. I’m going to search for a solution with sessions that can be set by an external splash/log in screen. If someone knows a good guide/tutorial about this topic, or other and better solutions that do not use http authentication and which a browser cannot handle itself, I’d be happy to hear. Wim
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
On Mon, Feb 17, 2014 at 10:39 AM, Wim Ramakers wrote: > I forgot to paste the line in the first post, I’ve set > authenticate_cache_garbage_interval 5 minutes. > > Even after an hour I stayed authenticated, so I’ve changed it also to a lower > value. I am curious to this also then. I wonder if that is the browser. Is there a setting for how often a browser asks for authentication? My assumption would be that the browser asks Squid for authentication. Once it is authenticated with your LDAP, then it will not have to authenticate again until the browser asks again. I may be totally wrong though. -- Scott Mayo Mayo's Pioneer Seeds PH: 573-568-3235 CE: 573-614-2138
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
I forgot to paste the line in the first post, I’ve set authenticate_cache_garbage_interval 5 minutes. Even after an hour I stayed authenticated, so I’ve changed it also to a lower value. Wim
Re: [squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
On Mon, Feb 17, 2014 at 9:45 AM, Wim Ramakers wrote: > I’m trying to configure squid3 (on Debian server) to block certain (mostly > social media) websites based on the LDAP (age) group the users are in. > The devices are apple ipads, safari is used as web browser, and apps are > installed with the Mobile Iron multiuser platform. The device will be shared > among users of multiple groups, so i must FORCE the user to reauthenticate > every 30 minutes. > > The problem we have now is that when a user authenticates correctly, the > credentials never expire. For testing purposes I’ve set the ttl to 1 minute > now, but after I authenticate a user successfully I never get a new challenge. > My current config: > - > authenticate_ttl 1 minute > > auth_param basic program /usr/lib/squid3/squid_ldap_auth -v 3 -b > "dc=mydomain,dc=eu" -f uid=%s -h 10.11.12.13 > auth_param basic children 5 > auth_param basic realm Web-Proxy > auth_param basic credentialsttl 5 minutes > acl ldap-auth proxy_auth REQUIRED > > external_acl_type ldapgroup ttl=60 %LOGIN /usr/lib/squid3/squid_ldap_group -b > "dc=mydomain,dc=eu" -f > (&(objectClass=inetOrgPerson)(uid=%u)(memberOf=cn=%g,ou=subou,ou=mainou,dc=mydomain,dc=eu)) > -h 10.11.12.13 > acl ldapgroup-age9- external ldapgroup leeftijdsgroep_tot_9_jaar > acl ldapgroup-age12- external ldapgroup leeftijdsgroep_tot_12_jaar > acl ldapgroup-age13- external ldapgroup leeftijdsgroep_tot_13_jaar > acl ldapgroup-age18- external ldapgroup leeftijdsgroep_tot_18_jaar > acl ldapgroup-age18+ external ldapgroup standaard_leeftijdsgroep > > acl facebook dstdomain .facebook.com > # Deny access to facebook if not in 18+ or 18- (=16-18)group > http_access deny facebook !ldapgroup-age18+ !ldapgroup-age18- !ldap-auth > —— > > I’ve tried also other http_access allow/deny rules, following different > tutorials i found online, but that did not change anything. > Can anyone spot the problem in my config, or is it just the ipad that caches > the correct credentials and automatically uses these on next challenges?? > When it is a caching issue, what other options do i have to force the user to > enter his credentials again after a fixed period of time? > > Thanks in advance for your help. I will say that I don't know a lot about different parts of Squid, so not sure about this, but would it have something to do with the authenticate_cache_garbage_interval, default is an hour. (http://www.squid-cache.org/Versions/v3/3.1/cfgman/authenticate_cache_garbage_interval.html) I don't know if the authentication hangs around if it is greater than the ttl or not. Just a suggestion and I am guessing others will have a better answer than me. -- Scott Mayo Mayo's Pioneer Seeds PH: 573-568-3235 CE: 573-614-2138
[squid-users] block domains based on LDAP group and force re-authentication every 30 minutes
I’m trying to configure squid3 (on Debian server) to block certain (mostly social media) websites based on the LDAP (age) group the users are in. The devices are apple ipads, safari is used as web browser, and apps are installed with the Mobile Iron multiuser platform. The device will be shared among users of multiple groups, so i must FORCE the user to reauthenticate every 30 minutes. The problem we have now is that when a user authenticates correctly, the credentials never expire. For testing purposes I’ve set the ttl to 1 minute now, but after I authenticate a user successfully I never get a new challenge. My current config: - authenticate_ttl 1 minute auth_param basic program /usr/lib/squid3/squid_ldap_auth -v 3 -b "dc=mydomain,dc=eu" -f uid=%s -h 10.11.12.13 auth_param basic children 5 auth_param basic realm Web-Proxy auth_param basic credentialsttl 5 minutes acl ldap-auth proxy_auth REQUIRED external_acl_type ldapgroup ttl=60 %LOGIN /usr/lib/squid3/squid_ldap_group -b "dc=mydomain,dc=eu" -f (&(objectClass=inetOrgPerson)(uid=%u)(memberOf=cn=%g,ou=subou,ou=mainou,dc=mydomain,dc=eu)) -h 10.11.12.13 acl ldapgroup-age9- external ldapgroup leeftijdsgroep_tot_9_jaar acl ldapgroup-age12- external ldapgroup leeftijdsgroep_tot_12_jaar acl ldapgroup-age13- external ldapgroup leeftijdsgroep_tot_13_jaar acl ldapgroup-age18- external ldapgroup leeftijdsgroep_tot_18_jaar acl ldapgroup-age18+ external ldapgroup standaard_leeftijdsgroep acl facebook dstdomain .facebook.com # Deny access to facebook if not in 18+ or 18- (=16-18)group http_access deny facebook !ldapgroup-age18+ !ldapgroup-age18- !ldap-auth —— I’ve tried also other http_access allow/deny rules, following different tutorials i found online, but that did not change anything. Can anyone spot the problem in my config, or is it just the ipad that caches the correct credentials and automatically uses these on next challenges?? When it is a caching issue, what other options do i have to force the user to enter his credentials again after a fixed period of time? Thanks in advance for your help.