Re: [squid-users] more than one auth_param basic for acc-mode with several virthosts

From: David Lewis <>
Date: Thu, 06 Nov 2008 15:46:28 +0100

Hi, I'm wondering if there's been any progress since 2005 as regards
multiple instances of auth_param basic.

My problem is that I have set up a mechanism for restricting the access
to certain sites when the http client is on a particular network.

No problem with this, it works fine, the algorithm is simple and as follows:

  IF accessing subscription_site THEN
    IF http client in hall of residence THEN
      check authorized user
      IF not authorized user THEN

To implement it I've used the following directives:

  auth_param basic program /usr/local/exploitation/
  auth_param basic realm /blah blah blah/

  acl subscription_sites dstdomain
  acl subscription_sites dstdomain

  acl hall_of_residence src

  acl utcauthenticated proxy_auth REQUIRED

  http_access allow subscription_sites hall_of_residence utcauthenticated

The requests in question get handled just as I intended. The problem is
with OTHER requests requiring authentication. In particular FTP. If any
user of this squid, anywhere, tries to do non-anonymous FTP without
specifying username and password in the URL, then squid returns a
challenge labelled /blah blah blah/, and invariably rejects the request,
since the FTP username and password to be sent to the remote FTP server
are not recognized by my script. What I need is
TWO authentication setups : one to handle my very specific
authentication requirement, and the other to handle all the rest.

Anybody see a way around this?

With my thanks,
David L

> From: Henrik Nordstrom <>
> Date: Thu, 26 May 2005 15:23:10 +0200 (CEST)
> On Thu, 5 May 2005, B wrote:
>> to always have squid be the "master" authenticator, is it possible to
>> define more than one auth_param basic program, assign them with acl-like
>> names and use multiple proxy_auth directives with http_access and
>> url_regex definitions? the aim is, to have one auth_param for every
>> url_regex match.
> Today the login(and password) name must be unique for the whole Squid, no
> matter what the user requests. Once logged in you can use proxy_auth etc
> to limit what users may access what, but the same login can not have
> different passwords depending on what is being requested.
> However, MARA Systems is collecting bids for implementing multiple
> authentication "realms" within the same Squid allowing different user
> databases to be used depending on what is requested where. Implementation
> will start when there is sufficient interest.
> Regards
> Henrik
Received on Thu Nov 06 2008 - 14:46:34 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 06 2008 - 12:00:03 MST