RE: User Authentiction

> -----Original Message-----
> From: Joey Coco [mailto:anesthes@cisdi.com]
> Sent: Thursday, May 16, 2002 10:47 PM
> To: Robert Collins
> Cc: squid-dev@squid-cache.org
> Subject: RE: User Authentiction
>
>
>
> Hi Rob,
>
> > Not true. Only requests that trigger proxy_auth acl checks will
> > trigger authentication.
> >
> > > What I'd like to do, is set it up so genericly noone
> (regardless of
> > > IP
> > > network) is prompted for authentication, however, if one
> > > wishes to "log in" they can clink on a link, or in some other
> > > way trigger the authentication routines.
> >
> > Just allow certain destinations without proxy auth.
>
> True on both accounts, and that would prolly work for most
> people that want to authenticate when going to a few
> pre-defined destinations. But it won't really work for me,
> because we're not restricting access by using ACL's.
>
> I've written some custom functionality that will make
> decisions to allow access or not, based on destinations, time
> of day, and other criteria - but currently everyone is treated Equal.

I don't see how this is different from the existing acl's. That's
exactly what they do. If it's database based, loading the acl's from a
database might be a useful approach. Secondarily extending the
redirector API to allow a 407 reponse, which squid would then pass on as
a proxy_auth REQUIRED acl check would allow a generic way of triggering
proxy auth based on a redirector's rules.
 
> I've tested load, and I've peaked around 800 http requests
> per second, so its fairly stable. At close to a million ACL
> rules within my custom code, if I transformed that to Squid's
> native ACL, I'm not sure how long it would run for. :)

Quite a long time I imagine. Squid's ACL code gets a good workout, I'd
be surprised if there is anything really wrong there.
 
> I really just need to trigger proxy_auth on demand.

You _really_ need to use the proxy_auth acl framework. Examine the acl.c
code that deals with proxy_auth to see how you -could- call into the
authentication framework directly. You'll need to cover all the existing
cases, and to be sure that you don't leak requests.

Lastly, be aware that http really isn't aimed at what you are doing.
From a rfc 2617 point of view, proxies that ask for auth once, need it
for the user forever (in that session), and the only way to tell the
client to authenticate is via the 407 response.

I will gladly provide thoughts as to how you can do what you need to
cleanly, but at the moment I really don't understand what you are adding
that is not already there.

Rob
Received on Thu May 16 2002 - 06:39:46 MDT