[SQU] ACLs for groups having different kinds of internet access and an environment variable problem.

From: Paul Turner <pjturner@dont-contact.us>
Date: Wed, 17 Jan 2001 20:26:41 -0700

Hi all,

I'm evaluating squid as a replacement for Apache+mod_proxy. There are several requirements that need to be met and squid easily meets most. I have a couple of requirements that remain to be satisfied. One is that our organization has 2 groups, one with unrestricted internet access and the other with limited access to just 100-200 sites. Access is determined by membership in an LDAP group called 'haveaccess' and anyone not in this group has limited access. Both groups need to be authenticated by squid and I've written auth programs that will do this. The problem is that the auth program is unable to communicate back to squid which group the user belongs to (I only get the choice of OK or ERR). I would like to accomplish this in a single instance of squid - clearly I can do it with different instances of squid - one for unrestricted access and one for limited access with the one for limited access having ACLs giving access to the external sites allowed. I've seen an LDAP patch that might do the trick but I'd rather stick with vanilla squid (with an exception to follow).

The other item is the requirement to insert into the request to internal web servers from squid an environment variable called 'HTTP_MY_USERNAME' with a value of the authenticated username. So I need a pointer to the section of squid source where the request from the client is sent to the web server of interest and where I can snag the username that made the request and insert this environment variable in the outgoing stream. This variable is used for internal purposes and should not be sent out to the Internet. CGI authors have written code that look for this environment variable so the person is known to be authenticated by the proxy server and responses can be tailored for the user without the user have to re-authenticate to the web server to provide usernames.

Any pointers would be appreciated.



Paul J Turner

To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Wed Jan 17 2001 - 20:25:17 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:29 MST