Re: [squid-users] Proxy authentication - PXY1

Please keep squid questions on the squid-users mailinglist as it may be
of interest to others.

To do what was discussed some programming is required. In addition, some
patching of Squid is required unless you want to use development
versions of Squid (not suitable for production use yet..), as per
described in the previous message quoted below.

Proxy-Authentication uses the HTTP header "Proxy-Authorization". This
means that you can have this header sent to external acl helpers by
using the format specification ${Proxy-Authorization}, and if the header
is not set "-" will be sent to the helper.

However, thinking over this one more time I do not think you need to use
a external acl to do what you want. Instead just using the redirection
capabilities of deny_info (see below) should be sufficient. What you do
is to

1. Set up proxy authentication as usual in Squid. Then authentication
works continue with 2.

2. Create two CGI/PHP pages on a web server which are proxied via the
proxy.

   2a) One script which presents the policy and also gives the user a
small form where he can accept/decline the policy. In the form there is
a hidden field carrying the original requested URL, received from Squid
via the "url" form parameter (or another parameter name of choice..).
For instructions on how to have the requested URL sent to this script
see the deny_info url redirection extension discussed in the previous
response.

   2b) A second script which includes a 'Proxy-Authentication: Basic
realm="..."' header in the response, and also does a meta refresh to
redirect the user back to the requested page. This script is called by
the browser when the user accepts the policy shown by "2a" above.

3. Set up Squid to redirect to script "2a" when the user is denied due
to authentication by the normal acls, and to allow access to the scripts
created in '2' without requiring authentication.

Some slight variations of '2b' is possible, such as having
authentication required by Squid without redirection in step '2b' and a
couple of other alternatives.

Regards
Henrik

David O'Sullivan wrote:
>
> A long time ago I asked you the question at the bottom of this E-mail. At
> that time I was using a SUSE installed Squid2.4 STABLE7 version. I have now
> taken the Squid 2.5 STABLE1 copy from the squid-cache.org website. Bearing
> in mind I am new to Linux/Squid what is it I have to do to make an
> external_acl_type to filter out requests without authentication. Would this
> helper be yet another executable I would have to develop (I am not a C
> person either) or could it be a script. Can you just spell out a little more
> the order of the acls in the squid.conf file and what each piece of the
> puzzle would do. I have seen the new auth_param directive and the
> external_acl_type but am unsure of how deep I have to go to make this a
> flier.
>
> I would appreciate any reply in layman's language given my experience of
> Linux is 5 weeks and of squid 3 weeks. Is what you are saying is that I will
> be able to detect if the HTTP header contains a username/password
> combination and then redierect through deny_info to a policy page, or is
> that too simplistic. Any help greatfully received.
>
> Cheers Dave O.
>
> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> Sent: 06 February 2003 08:47
> To: Robert Collins
> Cc: David O'Sullivan; 'squid-users@squid-cache.org'
> Subject: Re: [squid-users] Proxy authentication - PXY1
>
> Robert Collins wrote:
>
> > Requests without authentication are redirected to the policy page, with
> > the original page in a cookie/form submission. The policy page sets a
> > cookie "POLICY ACCEPTED" when the user accepts the policy. The policy
> > web server *must* be accessed via squid.
> >
> > When a request to the policy webserver, with a policy accepted cookie,
> > is seen, authentication is triggered, and the user redirected back to
> > the originally requested page.
>
> Yes, this looks like it might be done.
>
> external_acl_type can be used to filter out requests without proxy
> authentication, or a extension acl can be written within Squid to do the
> same. deny_info url capability of Squid-3 (also available as a patch to
> Squid-2.5) can then be used to redirect the request to the policy page.
>
> The same scheme can also be used to IP based session timers, having an
> external_acl_type acting as a filter on which requests may need to be
> sent to the policy page, and the cookie as the definite filter on which
> users have accepted the policy or not.
>
> Regards
> Henrik
>
> This e-mail and its attachments are confidential and intended solely for the
> addressee. If you are not the intended addressee, you must not disclose,
> forward, copy or take any action in respect of this email or any
> attachments. If you have received this e-mail in error, please delete it and
> notify the sender. While ADM and Optecon have taken every reasonable
> precaution to minimise this risk, we cannot accept liability for any damage,
> which you may sustain as a result of software viruses. You should carry out
> your own virus checks before opening the attachment.
Received on Mon Feb 24 2003 - 14:20:28 MST