RE: [squid-users] authenticate_program

My directory contains specific IPs, and specific URLs that a user has access
to, and I am wanting to authenticate a user based on that information. So,
getting the IP, and URL passed to my authentication program is a must. I
just have to figure out how to make Squid do this. :-)

As I get into it more, its kinda sounding like the best method would be to
make a way for SOME parts of access control to be handled by an external
program, rather than modifying the way that proxy authentication is handled.

The End Goal:
Give external program all the information it needs to decide if the page
should be rejected or delivered to the requestor. That could include
username, password, IP, URL, or ? if there was any other information
available about the request. A rejection or denial of the access would work
for starters, but it would also be nice to be able to give conditions for
why the request was rejected, and a set of different actions to take for
them.

Matt

|-----Original Message-----
|From: Robert Collins [mailto:robert.collins@itdomain.com.au]
|Sent: Saturday, May 26, 2001 8:15 PM
|To: Matt Johnson; squid-users@squid-cache.org;
|squid-dev@squid-cache.org
|Subject: Re: [squid-users] authenticate_program
|
|
|----- Original Message -----
|From: "Matt Johnson" <mjohnson@iblp.org>
|To: <squid-users@squid-cache.org>; <squid-dev@squid-cache.org>
|Sent: Sunday, May 27, 2001 5:09 AM
|Subject: [squid-users] authenticate_program
|
|
|> I am wanting to use an external program to authenticate users
|accessing my
|> squid proxy server.
|>
|> One thing that I need to do is to have the IP address of the user to
|be
|> passed to my external authentication program.
|>
|> I'm wanting to know if there is a way I can do this in the squid.conf
|file,
|> or if it requires customizing the squid source code. If I need to
|customize
|> the source code, anyone have any suggestions on where to start?
|
|You need to alter the squid-basic auth helper protocol. See
|authenticate.c (2.4 and before) or src/auth/basic/auth_basic.c
|(2.5dev).
|You also need to alter the in-squid logic to allow squid to treat two
|users with the same name as different if they have different IP's.
|
|> It would be rather nice if you could do something like:
|> authenticate_program /home/mjohnson/code/auth.pl %IPADDRESS%
|
|That cannot work. You only have one authenticate_program.
|
|> Any suggestions on how to do this would be appreciated.
|
|I'd suggest you revisit the need for the ip address. The authenticate
|helper is meant for _authentication_ not _access control_. If the IP
|address is part of logging the user into your user directory, then it
|makes sense. If not, I suspect you will be making things more difficult
|for yourself.
|
|Rob
|
|> Matt Johnson
|>
|
Received on Sat May 26 2001 - 19:41:21 MDT