RE: [squid-users] Disable user accounts

From: David Parks <davidparks21_at_yahoo.com>
Date: Mon, 22 Mar 2010 16:26:26 -0600

So, if I understand correctly, squid has no way for me to force a user
account to be expired or cleared prematurely. Setting the nonce_max_duration
low wouldn't block a user with a constant stream of traffic, say watching a
video for example.

If the above statements are correct, then do you have any thoughts on how
challenging a change like this would be at the code level? For example,
having a command similar to "squid -k reconfigure" (e.g. "squid -r
user_to_expire") in which case squid would simply expire the given
credentials, thus "tricking" squid into re-authenticating on demand?

If user credentials are simply a table in memory this seems conceptually
simple to accomplish. Though I'm a java developer and haven't touched C/++
in many years, so I'm not sure this is worth considering unless you think
it's as simple as it seems like it could be.

Thanks!
Dave

p.s. my purpose in following this line of questioning is to monitor log
files for per user traffic, and after a user exceeds their data transfer
quota, I need to block further access. I don't want to slow access for users
within their quota.

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: Monday, March 22, 2010 12:35 AM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] Disable user accounts

David Parks wrote:
> I will be monitoring squid usage logs and need to disable user
> accounts from an external app (block them from making use of the proxy
> after they are authenticated).
>
> I'm not quite following the FAQ on this
> (http://wiki.squid-cache.org/Features/Authentication?action=show&redir
> ect=SquidFaq/ProxyAuthentication#How_do_I_ask_for_authentication_of_an
> _already_authenticated_user.3F) because I don't have any criteria on
> which the ACL might force a re-negotiation (or I just don't understand
> the proposed solution).

Re-challenge is automatic whenever a new request needs to be authed and the
currently known credentials are unknown or too old to be used.

>
> I'm also not clear if ("nonce_garbage_interval") and
> ("nonce_max_duration") are actually forcing a password check against
> the authentication module, or if they are just dealing with the
> nuances of the digest authentication protocol. I have them set to

garbage collection only removes things known to be dead already. The garbage
interval determines how often the memory caches are cleaned out above and
beyond the regular as-used cleanings.

  nonce_max_duration determines how long the nonces may be used for.
It's closer to what you are wanting, but I'm not sure of there are any nasty
side effects of setting it too low.

> their defaults, but after making a change to the password file that
> digest_pw_auth helper uses, I do not get challenged for the updated
> password. Could it just be that digest_pw_auth didn't re-read the
> password file after I made the change?

Yes.

>
> Thanks! David
>
>
> p.s. thanks for all of the responses to this point, I haven't replied
> as such with a "thanks", but the help on this user group is fantastic
> and is really appreciated, particularly Amos, you're a god-send!

Welcome.

Amos

--
Please be using
   Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
   Current Beta Squid 3.1.0.18
Received on Mon Mar 22 2010 - 22:26:35 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 23 2010 - 12:00:06 MDT