Re: [squid-users] authentication mechanism selected based on ip-address from Amos Jeffries on 2009-02-23 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 24 Feb 2009 12:23:01 +1300 (NZDT)

> Amos Jeffries wrote:
>> Joseph Spadavecchia wrote:
>>> Hi all,
>>>
>>> We have a requirement to use different authentication mechanisms
>>> based on the subnet/ip-address of the client.
>>>
>>> For example, a client from one subnet would authenticate against ntlm
>>> while a client from another subnet would authenticate against an LDAP
>>> server.
>>>
>>> AFAIK, this is normally done by running multiple instances of squid;
>>> but we have the requirement to do it with a single instance. One way
>>> of achieving this would be to modify squid to pass the client's
>>> ip-address along with the authentication information. However, I'd
>>> like to do it cleanly without modifying squid.
>>>
>>> Can anyone offer suggestions for doing this cleanly, without
>>> modifications to squid.
>>>
>>> Thanks in advance.
>>> Joseph
>>
>> External ACL taking client IP and Proxy-authentication header contents.
>> Then doing whatever you like and returning "OK user=XX\n" or "ERR\n"
>>
>> Amos
> Thanks Amos--- your suggestion seems to work.
>
> I created a custom authenticator that always returns "OK" and linked it
> to the external acl.
>
> ==== squid.conf ====
>
> auth_param basic program /usr/local/bin/my-auth.pl
>
> external_acl_type myAclType %SRC %LOGIN %{Proxy-Authorization}
> /usr/local/bin/my-acl.pl
>
> acl MyAcl external myAclType
>
> http_access allow MyAcl
>
> * Note myAclType's dependence on %LOGIN is required for triggering
> authentication and, thus, setting %{Proxy-Authorization}.
>
>
> ==== my-auth.pl ====
>
> #!/usr/bin/perl -Wl
>
> $|=1;
>
> while (<>) {
> print "OK";
> }
>
>
> ==== my-acl.pl ====
>
> #!/usr/bin/perl -Wl
>
> use URI::Escape;
> use MIME::Base64;
>
> $|=1;
>
> while (<>) {
> ($ip,$user,$auth) = split();
> $auth = uri_unescape($auth);
> ($type,$authData) = split(/ /, $auth);
> $authString = decode_base64($authData);
> ($username,$password) = split(/:/, $authString);
>
> print my_awsome_auth($ip, $username, $password);
> }
>
> Thanks.
> Joseph
>

Excellent thank you for this wonderful write-up.
I've added it to the wiki
http://wiki.squid-cache.org/ConfigExamples/Authenticate/MultipleSources

Amos
Received on Mon Feb 23 2009 - 23:23:43 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 24 2009 - 12:00:01 MST