Re: [squid-users] authentication mechanism selected based on ip-address

Amos Jeffries wrote:
> Joseph Spadavecchia wrote:
>> Hi all,
>>
>> We have a requirement to use different authentication mechanisms
>> based on the subnet/ip-address of the client.
>>
>> For example, a client from one subnet would authenticate against ntlm
>> while a client from another subnet would authenticate against an LDAP
>> server.
>>
>> AFAIK, this is normally done by running multiple instances of squid;
>> but we have the requirement to do it with a single instance. One way
>> of achieving this would be to modify squid to pass the client's
>> ip-address along with the authentication information. However, I'd
>> like to do it cleanly without modifying squid.
>>
>> Can anyone offer suggestions for doing this cleanly, without
>> modifications to squid.
>>
>> Thanks in advance.
>> Joseph
>
> External ACL taking client IP and Proxy-authentication header contents.
> Then doing whatever you like and returning "OK user=XX\n" or "ERR\n"
>
> Amos
Thanks Amos--- your suggestion seems to work.

I created a custom authenticator that always returns "OK" and linked it
to the external acl.

==== squid.conf ====

auth_param basic program /usr/local/bin/my-auth.pl

external_acl_type myAclType %SRC %LOGIN %{Proxy-Authorization}
/usr/local/bin/my-acl.pl

acl MyAcl external myAclType

http_access allow MyAcl

* Note myAclType's dependence on %LOGIN is required for triggering
authentication and, thus, setting %{Proxy-Authorization}.

==== my-auth.pl ====

#!/usr/bin/perl -Wl

$|=1;

while (<>) {
        print "OK";
}

==== my-acl.pl ====

#!/usr/bin/perl -Wl

use URI::Escape;
use MIME::Base64;

$|=1;

while (<>) {
        ($ip,$user,$auth) = split();
        $auth = uri_unescape($auth);
        ($type,$authData) = split(/ /, $auth);
        $authString = decode_base64($authData);
        ($username,$password) = split(/:/, $authString);
       
        print my_awsome_auth($ip, $username, $password);
}

Thanks.
Joseph

-- 
Joseph Spadavecchia
t. +44 (0)1506 426 976
f. +44 (0)1506 691 408
e. mailto:jspadavecchia_at_bloxx.com
w. http://www.bloxx.com/
Awards:
http://www.bloxx.com/corporate/newsreleases_more.php?id=39  |  http://www.bloxx.com/corporate/newsreleases_more.php?id=36 
http://www.bloxx.com/corporate/newsreleases_more.php?id=31  |  http://www.bloxx.com/corporate/newsreleases_more.php?id=33
--------------------------------------------------------------------------
Bloxx Ltd.: Registered in the UK No. SC202264. Geddes House, Kirkton North, Livingston EH54 6GU, UK. 
International Offices: Bloxx Inc. t. +1 781 229 0980 | Bloxx Europe t. +31 (0) 70 320 5009 |  Bloxx Australia t. +61 1800 225 699