RE: [squid-users] Excluding some clients from authentication REQUIRED acl

From: Geoff Varney <geoff.varney@dont-contact.us>
Date: Tue, 18 Jul 2006 12:29:05 -0700

Chris,
Thanks for the suggestions. Comments inline...

> -----Original Message-----
> From: Chris Robertson [mailto:crobertson@gci.net]
> Sent: Monday, July 17, 2006 12:57 PM
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] Excluding some clients from authentication
> REQUIRED acl
>
> Geoff Varney wrote:
> > Hi,
> > I am trying to make Squid 2.6 work in the following setup:
> >
> I haven't had the time yet to upgrade to 2.6, so my advice may be...
> Unreliable. You have been warned.
> > Main Site:
> > I have one master caching/authentication Squid 2.6 server
> >
> > I have one DansGuardian (2.9.7.1) server with the above master Squid
as
> its
> > parent
> >
> > Remote Sites:
> > I have 3 remote Squid servers that each authenticate their local
clients
> and
> > point to the above DG server as parent
> >
> >
> > I am passing on user and password from the remote Squids (no-query
> > login=*:password default). This worked great when the main site had
an
> > authentication Squid in front of DG (2.8) and the remote Squids used
DG
> as
> > the parent, and the main site authentication Squid did the same. In
> this
> > setup all sites were really the same.
> >
> > Now with DG 2.9.7.1 I have tried to eliminate the main site
> authentication
> > Squid as DG will now pass through to Squid to authenticate. This
works
> > great at the main site. However, when I set a remote Squid to use
DG as
> its
> > parent there is now an attempt to authenticate AGAIN to the main
site
> Squid
> > which is the parent to DG.
> >
> > Philip Allison (DG developer) suggested using ACLs to exclude these
> remote
> > requests from being authenticated by the main Squid.
> Hmmm... By the time the requests reach the "main" Squid, they have all
> passed through DG, and all appear to be from the same IP. Unless, of
> course, the follow-XFF patch was integrated in to Squid2.6... If that
> is the case (and you compiled with enable, you should be able to
insert
> an http_access rule allowing the subnet(s) access before denying
access
> to non-authenticated hosts. Something like...
>
> # The following lines require XFF
> acl DansGuardian src <IP of DG server>
> follow_x_forwarded_for allow DansGuardian
> acl_uses_indirect_client on
> # End XFF requirement
> acl no_auth src <remote subnet range>
> acl passwords_required proxy_auth REQUIRED
> http_access allow no_auth
> http_access allow passwords_required
> http_access deny all

Yeah, I followed this path and it didn't quite work the way I need it
to. What happens is that if I use follow_x_forwarded_for then I can
allow the IP range before auth, but then it doesn't filter. It goes
from DG, then straight out per http_access allowance. If I don't use
follow_x_forwarded_for then I have a problem with what DG logs for
users, or I end up with more than just remote IP ranges being allowed
http_access....

> > I have been working on
> > this but can't seem to get it to work. I can get things to work if
I
> allow
> > the remote subnet's IPs to have http_access, but that effectively
skips
> DG
> > filtering. I had hoped that something like:
> >
> > acl no_auth src <remote subnet range>
> > proxy_auth REQUIRED !no_auth
> >
> This would be trying to use an ACL within another ACL. Perhaps that's
> possible in 2.6...
> > or something like that would skip auth on the main Squid. But that
> doesn't
> > work, maybe the syntax is invalid for proxy_auth REQUIRED.
> >
> > I know I don't have a complete understanding of acls (and much
more!)
> and
> > know they are very powerful if you get them right and put them in
the
> right
> > order, etc.
> >
> Check out the Wiki section on ACLs
> (http://wiki.squid-cache.org/SquidFaq/SquidAcl). There's a lot of
good
> information there.
> > I'm stuck in getting the remote Squid requests to go to the main
Squid
> and
> > then go back to DG to filter, then out through Squid without trying
to
> > authenticate again. How I do make Squid ignore authenticating some
> requests
> > (by IP acl or something?) but still filter with DG? Can it be done?
If
> > not, I'll just go back to Squid Auth->DG->Squid Cache like before.
> >
> > Thanks,
> > Geoff
> >
> An other option would be to create a login/password combination on the
> "main" Squid server, and have the "remote" Squid servers use that
(e.g.
> the remote Squid servers would define their parent cache using
> "login=user:password"). *shrug*

I think I considered this also, but one of the things I want is DG to
log the usernames and this would log just the one remote username...

I don't think what I want can be easily (if possibly) achieved, so I've
gone back to adding a separate authorization Squid in front of DG (like
the old days!) and point clients on DG's local subnet to it, then the
remote Squids point at DG directly. It works that way!

I think maybe the HTTP spec of logging in only once is the issue here,
and I don't think Squid has a way to look at the source IP to determine
whether or not to require authorization. That would be nice I think!

I am using the " --require-membership-of=" in my "auth_param ntlm
program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
statement, but I don't think there's a similar
"don-not-require-membership-of" sort of option for this! Besides, I
don't know what this Squid is seeing compared to what the initial
authentication Squid is seeing since it's already an authenticated
connection..

>
> Chris

Geoff
Received on Tue Jul 18 2006 - 13:29:12 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Aug 01 2006 - 12:00:01 MDT