Re: [squid-users] writing my own authenticator

Fri, 21 Mar 2008 06:03:33 -0700 

paul cooper wrote:

so ip_user wont actually do what i want ( the book isnt clear actually
what it is there for)  - thanks Henrik

what i want is to get  the currently logged-in user and pass it to squid
which will then authenticate against that with no further dialog boxes etc
 . i can then add eg time-based ACLs


I think you have confused purpose and nature of Authentication.
It's usually done by the browser when requesting web pages.
The standard methods use various authentication headers the browser passes to squid containing a user/pass. Non-standard methods involve squid pulling various details like IP address and authenticating based on them instead of user/pass.
All any of the methods do is pass squid an OK/ERR result after authenticating to say the request can/not go through. 



So i thought id try my own. eventually i suspect i'll use gewtpwuid() and
look up in /etc/passwd.

#!/usr/bin/perl -wl
$|=1;
 my @names=("andrew","anne","nick","emma");
my $username = `whoami` or die "Couldn't execute command: $!";
   chomp($username);
open (F, '>/tmp/data.txt');
print F "$username\n";
close (F);
my $i=0;
while ($i<$#names)
{
if ($names[$i] eq $username){print "OK user=$username";exit;}
$i++;
}
print "ERR";


and this returns  the current user and writes it to the file.
I'd suggest a test version that accepts anything squid sends, logs it exactly and says 'OK/ERR' randomly.
Run it for a while to see exactly what you can get from squid and design based on that. 


Amos



my squid.conf

hepworth andrew # cat /etc/squid/squid.conf |grep ^acl
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl purge method PURGE
acl CONNECT method CONNECT
acl annes external MyAclHelper
acl QUERY urlpath_regex cgi-bin \?
acl apache rep_header Server ^Apache
hepworth andrew # cat /etc/squid/squid.conf |grep ^http
http_access Safe_ports allow
http_access allow annes
http_access deny all
http_port 3128
hepworth andrew # cat /etc/squid/squid.conf |grep ^external
external_acl_type MyAclHelper /etc/squid/myaclhelper
hepworth andrew #

do i need an auth_param directive as well ? if so what ?

so when i request a web page it asks me for a username and password  and
myaclhelper doesnt write the text file. Should it be  doing the
2008/03/21 12:00:16| helperOpenServers: Starting 5 'getpwname_auth' processes
 line ?


hepworth squid # /usr/local/squid/sbin/squid -N -d6
2008/03/21 12:00:16| Starting Squid Cache version 2.6.STABLE18 for
i686-pc-linux-gnu...
2008/03/21 12:00:16| Process ID 19869
2008/03/21 12:00:16| With 1024 file descriptors available
2008/03/21 12:00:16| Using epoll for the IO loop
2008/03/21 12:00:16| Performing DNS Tests...
2008/03/21 12:00:16| Successful DNS name lookup tests...
2008/03/21 12:00:16| DNS Socket created at 0.0.0.0, port 32860, FD 6
2008/03/21 12:00:16| Adding domain home.nw from /etc/resolv.conf
2008/03/21 12:00:16| Adding nameserver 192.168.0.254 from /etc/resolv.conf
2008/03/21 12:00:16| helperOpenServers: Starting 5 'getpwname_auth' processes
2008/03/21 12:00:16| Unlinkd pipe opened on FD 17
2008/03/21 12:00:16| Swap maxSize 102400 KB, estimated 7876 objects
2008/03/21 12:00:16| Target number of buckets: 393
2008/03/21 12:00:16| Using 8192 Store buckets
2008/03/21 12:00:16| Max Mem  size: 8192 KB
2008/03/21 12:00:16| Max Swap size: 102400 KB
2008/03/21 12:00:16| Rebuilding storage in /usr/local/squid/var/cache (CLEAN)
2008/03/21 12:00:16| Using Least Load store dir selection
2008/03/21 12:00:16| Current Directory is /etc/squid
2008/03/21 12:00:16| Loaded Icons.
2008/03/21 12:00:16| Accepting proxy HTTP connections at 0.0.0.0, port
3128, FD 19.
2008/03/21 12:00:16| Accepting ICP messages at 0.0.0.0, port 3130, FD 20.
2008/03/21 12:00:16| WCCP Disabled.
2008/03/21 12:00:16| Ready to serve requests.
2008/03/21 12:00:17| Done reading /usr/local/squid/var/cache swaplog (688
entries)
2008/03/21 12:00:17| Finished rebuilding storage from disk.
2008/03/21 12:00:17|       688 Entries scanned
2008/03/21 12:00:17|         0 Invalid entries.
2008/03/21 12:00:17|         0 With invalid flags.
2008/03/21 12:00:17|       688 Objects loaded.
2008/03/21 12:00:17|         0 Objects expired.
2008/03/21 12:00:17|         0 Objects cancelled.
2008/03/21 12:00:17|         0 Duplicate URLs purged.
2008/03/21 12:00:17|         0 Swapfile clashes avoided.
2008/03/21 12:00:17|   Took 0.4 seconds (1801.4 objects/sec).
2008/03/21 12:00:17| Beginning Validation Procedure
2008/03/21 12:00:17|   Completed Validation Procedure
2008/03/21 12:00:17|   Validated 688 Entries
2008/03/21 12:00:17|   store_swap_size = 4320k
2008/03/21 12:00:17| storeLateRelease: released 0 objects








--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

Reply via email to