Re: external ACL from Robert Collins on 2001-07-19 (squid-dev)

From: Robert Collins <robert.collins@dont-contact.us>
Date: Thu, 19 Jul 2001 18:47:52 +1000

----- Original Message -----
From: "Henrik Nordstrom" <hno@hem.passagen.se>
To: "Robert Collins" <robert.collins@itdomain.com.au>
Cc: "Henrik Nordstrom" <hno@marasystems.com>; "Squid Developers Mailinglist"
<squid-dev@squid-cache.org>
Sent: Thursday, July 19, 2001 6:09 PM
Subject: Re: external ACL

> Robert Collins wrote:
> >
> > So you want to force authentication if not present?
> >
> > Three possible ways
> > 1) duplicate code from the proxy_auth ACL type. Remembering that
> > _authentication_ vs authorisation is all modularised in authenticate.c
> > 2) have the user add
> > acl foo proxy_auth REQUIRED
> > and then write their external acl access rules that use %LOGIN as (say)
> > http_access deny !foo external external !external
> > 3) dynamically insert the data for 2) when parsing, if you encounter
%LOGIN
> > in a external_acl rule.
> >
> > I favour 3 - it's a bit harder to do _right_, but the user may be less
> > confused.
> >
> > Rob
>
> Or 4, make challenge processing/generation/IP verification more cleanly
> separated from the proxy_auth ACL match.

I've no objection to tweaking/refactoring/whateveryouwanttocallit the
abstraction. It's not quite right as it is. I have some pending work in ntlm
that will affect such rearrangements - I'll try and get it finished up asap,
and see if I can rearrange the logic at the same time.

I don't think the IP verifcation should be tied to the authentication too
tightly - the whole point of external acl's as I understood was to allow
more custom processing. Thoughts here?

> Note: I strongly dislike the idea of "dynamically" rewriting the
> configuration. Also, doing so would not work proper in conjunction with
> deny_info.

Ah - because if the user didn't login - gotcha.

Rob

> The closest we can do in this direction is to have the
> external ACL match make a "dummy" proxy_auth ACL that is not actually
> part of the configuration, and have it call aclMatchAcl on this internal
> acl. Personally, I would prefer a cleaner solution to the problem "User
> must be fully authenticated before this can continue".
>
> --
> Henrik
>
Received on Thu Jul 19 2001 - 02:45:07 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:07 MST