Re: [squid-users] authication retries

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 16 Jun 2009 13:49:18 +1200

On Mon, 15 Jun 2009 15:51:54 -0500 (CDT), Al - Image Hosting Services
<azick_at_zickswebventures.com> wrote:
> Hi,
>
> On Mon, 15 Jun 2009, Amos Jeffries wrote:
>> On Sun, 14 Jun 2009 20:28:28 -0500 (CDT), Al - Image Hosting Services
>> <azick_at_zickswebventures.com> wrote:
>>> Hi,
>>>
>>> After thinking about it, I decided that if a person lost their
password,
>>> that I should have away for them to retrieve it without needing me, so
I
>>> added an acl to unblock a site so it would work without authentication.
>>> Where I have a problem is that it looks like you can try wrong
usernames
>>> and passwords all day. Could someone tell me how many times a user will
>> be
>>> able to type in their username and password before squid will give the
>>> ERR_CACHE_ACCESS_DENIED page? Or if there is even a way to change this
>>> number. I would like people to see the error page after maybe 10 tries.
>> If
>>> this can't be changed, then I will need to find another way to deal
with
>>> this issue.
>>>
>>> Best Regards,
>>> Al
>>
>> Zero times. It is displayed immediately when auth credentials are
missing
>> or bad.
>>
>> The problem you have now is that the error page is hidden by the
browsers
>> and converted into that popup everyone is so familiar with.
>
> I must admit that I really expected to get this answer, but I need to be
> sure. Do you know if there is any kind of work around?
>
> Thanks,
> Al

Hmm. I'm thinking this is something useful we need to add to Squid. Patches
to Squid-3 welcome if anyone wants wants something to do.

I'm working on theory here so testing and tuning are in order before this
goes live. I'm thinking you may be able to do it by altering the response
headers. It may only work in squid-3 where the headers are available
separately too.

  deny_info http://your.domain.invalid/authpage.html dummy
  reply_header_access deny !auth dummy

Where dummy is an external ACL testing to see how many times the user has
passed bad credentials in a row. You can probably get this by passing %SRC
%<{Proxy-Authenticate}

Amos
Received on Tue Jun 16 2009 - 01:49:25 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 16 2009 - 12:00:03 MDT