Re: Introduction - pre patch submission from Amos Jeffries on 2010-04-30 (squid-dev)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 01 May 2010 15:12:45 +1200

Robert Marcano wrote:
> Greetings.
>
> I am interested in developing features for squid that are currently
> needed in our installations, related with LDAP and authentication
> integration and content filtering (ICAP). I have being able to add the
> feature of forwarding the current authenticated to the next proxy in the
> chain, primarily because Squid is doing the Kerberos authentication and
> the next proxy needs that info to execute another actions (I will follow
> this introduction with other email with the explanation of the needs and
> the implementation)

Welcome aboard.

You may already have seen these, but just in case.

Basic Reference on the tools needed to work with Squid code as a
developer and links to other useful developer information:
http://wiki.squid-cache.org/DeveloperResources

Documentation on the patch submission process how-to and what to expect:
http://wiki.squid-cache.org/MergeProcedure

>
> Another area I want to make a few contributions are:
>
> - Capability to advertise different auth methods based on the request,
> for example, restrict to NTLM and Negotiate only to browser and never
> tell them that basic auth is allowed (IE still tries with basic even
> when NTLM auth is ok but acl restricted the request), I want to avoid
> people using basic for the browser. but still allow the usage of basic
> auth for certain acl verified requests (user agent, ip, etc)

Great. The bug 2305 shuffling has been submitted for audit now. An
auth_param ACL option should be relatively easy to implement on top of
those changes once committed.

The specs for this so far are to create a way to configure:

auth_param X filter acl [acl] ...

or similar.

>
> - Make tcp_outgoing_address be able to use an interface name and not
> only a fixed ip address, this solve a problem we have with some setups
> where we allow to acces to the internet with a dedicated ISP for a group
> of users, and that ISP is using a dynamic ip (we currently solve this
> with a scripting hack regenerating the configuration file)
>

tcp_outgoing_address is absolutely not the right place for this. A
separate tcp_outgoing_interface will be needed at minimum.

I'm interested in hearing how you propose to make this work.

You will face the problems of:
* how to identify the kernel ID of the interface name configured.
* how to pass the interface ID back using the socket API.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.1

Received on Sat May 01 2010 - 03:12:52 MDT

This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 12:00:18 MDT