[squid-users] ACL to match arbitrary reply header, in-memory fast authentication

From: Joshua Brindle <JBrindle@dont-contact.us>
Date: Mon, 04 Aug 2003 15:34:18 -0500

Ok, I'm not sure if this makes sense but I have some special needs
and can't quite figure out how to implement them.

I am using Dansguardian to determine if something is porn, and
I modified it to set a header (X-Naughty and X-Naughty-Why)
so that the page would still go through, but squid should be
able to identify it as naughty.

Now, I need to authenticate users _without_ basic authentication
(because I'm using transparent proxying, and I want authentication
to be optional anyway, only when a site is blocked), and I also can't
use NTLM because we are not using domains and windows username
have no correlation to their network login.

So, my idea is to have an authentication module that doesn't actually
authenticate but holds a struct of username/ip pairs, and a timeout
timestamp. Now, since this won't actually do anything since
there is no way to get the username/ip pairs in there I need
a pipe or ipc to send that info to squid.

The way I envision it working is, people can browse freely and unlogged
until they get a page that dansguardian blocks, at which time they are
sent to a login page (probably php here) that authenticates them
to the network (using whatever method your network uses), then sends
the username/ip pair to squid and is put in the struct. Then when
squid sees the X-Naughty header, and the user is logged in (and
the current time is before the timestamp) then it will allow the page through
but log it.

There are several caveats here which is why this is the only way I can
think of to do it. 1) we only want to log porn sites, not every site
the user goes to. 2) we only want users to log in *if* they want to, to
bypass the filter with knowledge that it will be logged. 3) it needs to be
very fast and I don't think an external auth module could do the job
4) adding a naughty header is the only way i could see the page going
through for logged in users but allow squid to identify it.

the setup is like user <-> squid <-> dansguardian <-> squid <-> internet

both the squids are the same process, it just uses ip src from dansguardians
ip to send the request out to the internet.

So, has anyone done anything like this? Can this be done? right now I'm
trying to make squid match arbitrary headers but every ACL file there now
matches headers that are in enum.h, how can I match unknown arbitrary headers?

and second, is my authentication idea possible? is it plausible? are there better
ways of doing it?

Thanks ! :)

Joshua Brindle
UNIX Administrator
Southern Nazarene University
Received on Mon Aug 04 2003 - 14:34:51 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:18:35 MST