Re: strict authenticate_ip_ttl checking

Ok. As you are not the first to ask for this feature I took some
time to implement it in a generic fashion.

Note: the changes to cf.data.pre has to be applied manually due to
conflicts with other major changes I have made to my cf.data.pre file..
to lazy to make a clean Squid-2.3.STABLE1 patch.

I have not tested the patch much, but it should work..

--
Henrik Nordstrom
Squid Hacker
http://squid.sourceforge.net/hno/
S.THOMAS wrote:
> Strict mean i want to strictly allow only one m/c within the
> ip_authenticate_ttl time. I tried some code changes in acl.c,
> but lot of errors. It would be thankful if you can send me the
> code changes where i have to make. I am not expert in code analyse.

* squid-2.3.STABLE1.strict_authenticate_ip_ttl.patch *

Sat Feb 19 10:49:41 CET 2000
Modified Files in squid/src
        cf.data.pre acl.c structs.h

Changed ip_authenticate_ttl to have an strict option, enforcing that the
user comes from one IP address only.

-----------------------------------------------------------------

Index: squid/src/cf.data.pre
diff -u squid/src/cf.data.pre:1.1.1.42.6.9 squid/src/cf.data.pre:1.1.1.42.6.10
--- squid/src/cf.data.pre:1.1.1.42.6.9 Sun Jan 23 00:59:04 2000
+++ squid/src/cf.data.pre Sat Feb 19 10:49:39 2000
@@ -995,20 +995,19 @@
 DOC_END
 
 NAME: authenticate_ttl
-TYPE: int
-DEFAULT: 3600
+TYPE: time_t
+DEFAULT: 1 hour
 LOC: Config.authenticateTTL
 DOC_START
- The time a checked username/password combination remains cached
- (default 3600). If a wrong password is given for a cached user,
- the user gets removed from the username/password cache forcing
- a revalidation.
+ The time a checked username/password combination remains cached.
+ If a wrong password is given for a cached user, the user gets
+ removed from the username/password cache forcing a revalidation.
 DOC_END
 
 NAME: authenticate_ip_ttl
-TYPE: int
+TYPE: time_t
 LOC: Config.authenticateIpTTL
-DEFAULT: 0
+DEFAULT: 0 seconds
 DOC_START
         With this option you control how long a proxy authentication
         will be bound to a specific IP address. If a request using
@@ -1019,10 +1018,14 @@
         yet allow a dialup user to reconnect on a different dialup
         port.
 
+ If the TTL is set to a negative value then the check is
+ strict, completely denying access from other IP addresses
+ until the TTL has expired.
+
         The default is 0 to disable the check. Recommended value
- if you have dialup users are no more than 60 (seconds). If
+ if you have dialup users are no more than 60 seconds. If
         all your users are stationary then higher values may be
- used.
+ used, or even strict checking.
 DOC_END
 
 COMMENT_START
Index: squid/src/acl.c
diff -u squid/src/acl.c:1.1.1.40.6.2 squid/src/acl.c:1.1.1.40.6.3
--- squid/src/acl.c:1.1.1.40.6.2 Sun Jan 16 03:40:46 2000
+++ squid/src/acl.c Sat Feb 19 10:49:40 2000
@@ -1112,7 +1112,7 @@
             /* store validated user in hash, after filling in expiretime */
             xstrncpy(checklist->request->user_ident, user, USER_IDENT_SZ);
             auth_user->expiretime = current_time.tv_sec + Config.authenticateTTL;
- auth_user->ip_expiretime = squid_curtime + Config.authenticateIpTTL;
+ auth_user->ip_expiretime = squid_curtime + abs(Config.authenticateIpTTL);
             auth_user->ipaddr = checklist->src_addr;
             hash_join(proxy_auth_cache, (hash_link *) auth_user);
             /* Continue checking below, as normal */
@@ -1133,7 +1133,7 @@
             debug(28, 5) ("aclMatchProxyAuth: user '%s' previously validated\n",
                 user);
             /* Update IP ttl */
- auth_user->ip_expiretime = squid_curtime + Config.authenticateIpTTL;
+ auth_user->ip_expiretime = squid_curtime + abs(Config.authenticateIpTTL);
             auth_user->ipaddr = checklist->src_addr;
             /* copy username to request for logging on client-side */
             xstrncpy(checklist->request->user_ident, user, USER_IDENT_SZ);
@@ -1149,11 +1149,16 @@
         } else {
             /* user has switched to another IP addr */
             debug(28, 1) ("aclMatchProxyAuth: user '%s' has changed IP address\n", user);
- /* remove this user from the hash, making him unknown */
- hash_remove_link(proxy_auth_cache, (hash_link *) auth_user);
- aclFreeProxyAuthUser(auth_user);
- /* require the user to reauthenticate */
- return -2;
+ if (!Config.authenticateIpTTL > 0) {
+ /* remove this user from the hash, making him unknown */
+ hash_remove_link(proxy_auth_cache, (hash_link *) auth_user);
+ aclFreeProxyAuthUser(auth_user);
+ /* require the user to reauthenticate */
+ return -2;
+ } else {
+ /* Strict TTL is set. Deny the "other" user access */
+ return 0;
+ }
         }
     } else {
         /* password mismatch/timeout */
Index: squid/src/structs.h
diff -u squid/src/structs.h:1.1.1.45.4.12 squid/src/structs.h:1.1.1.45.4.13
--- squid/src/structs.h:1.1.1.45.4.12 Wed Feb 2 23:32:27 2000
+++ squid/src/structs.h Sat Feb 19 10:49:40 2000
@@ -320,8 +320,8 @@
 #endif
     int redirectChildren;
     int authenticateChildren;
- int authenticateTTL;
- int authenticateIpTTL;
+ time_t authenticateTTL;
+ time_t authenticateIpTTL;
     struct {
         int single_host;
         char *host;
Received on Sat Feb 19 2000 - 07:23:10 MST