Re: [squid-users] External_acl_type and cache_peer

Amos Jeffries wrote:
> Sander, Andreas wrote:
>> Hello,
>>
>> I am using Squid 2.7Stable6. I have an external helper that shall
>> obfuscate the authenticating user for a cache_peer. Unfortuantely this
>> does not work in any condition:
>>
>> Lets take an example where my helper returns:
>> OK user=hello password=world
>>
>> Example 1:
>>
>> auth_param ...
>> external_acl_type groupbuilder children=1 %SRC %DST
>> C:\temp\helper\Debug\helper.exe
>> acl special external groupbuilder
>> http_access allow special
>> cache_peer 192.168.1.101 parent 3128 7 no-query default login=PASS
>>
>> In this example the user "hello" is used for authentication when passing
>> the request to "192.168.1.101". Unfortunately the user is not
>> authenticated.
>>
>>
>> Example 2:
>> auth_param ...
>> external_acl_type groupbuilder children=1 %LOGIN %SRC %DST
>> C:\temp\helper\Debug\helper.exe
>> acl special external groupbuilder
>> http_access allow special
>> cache_peer 192.168.1.101 parent 3128 7 no-query default login=PASS
>>
>> In this example, always the authenticating user, which is authenticated
>> by "auth_param" is passed to "192.168.1.101". The result of the external
>> helper is ignored.
>>
>> What can I do to modify a login name by an external helper?
>
> You cannot.
>
> login=PROXYPASS simply passes the authentication headers the client
> sent without changing.
>
> login=PASS does the above, but when the client did not send any such
> header it may _add_ a Basic auth header using the external helper
> details.
>
> login=<username>:<password> does not pass anything, it uses the values
> from squid.conf on every request.
>
> login=*:<password> passes the client-given username through but
> replaces the password with the one in squid.conf on every request.
>
> This is the total of the login= features available in Squid 3.1 and
> older.

 From http://www.squid-cache.org/Doc/config/external_acl_type/...

        The helper receives lines per the above format specification,
        and returns lines starting with OK or ERR indicating the validity
        of the request and optionally followed by additional keywords with
        more details.

        General result syntax:

          OK/ERR keyword=value ...

        Defined keywords:

          user= The users name (login)
          password= The users password (for login= cache_peer option)

...which indicates to me that if the external_acl_type returns the
keywords "user" and/or "password", those will be substituted for the
"real" credentials supplied by the client. I have to assume the
original poster interpreted this documentation in the same manner.

Are we wrong? If so, what does this documentation really mean?

>
> Squid-3.2 is currently open for new features. If you can specify your
> requirements in detail and why the above features don't cover them
> please send to squid-dev_at_squid-cache.org
>
> Amos

Chris
Received on Fri Aug 07 2009 - 19:18:35 MDT