Re: [squid-users] deny_info page with passing login from Amos Jeffries on 2011-04-29 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 29 Apr 2011 18:53:47 +1200

On 29/04/11 10:27, Rafal Zawierta wrote:
> Hi again :)
>
> I try to redirect denied users (by my own external acl helper) to my
> custom page.
> I use kerb_auth so I pass to my helper variable %LOGIN
>
> external_acl_type testacl %LOGIN /tmp/login.sh (login.sh will return
> OK or Err - it works).
>
> Now - in case of 'Err' i have to redirect my client to web page with message:
>
> Hello %LOGIN. You are denied.
> (In fact page will be in php with connection to sql, but idea is the same).
>
> Now - when I try to use some variables from squid doc i get:
>
> deny_info http://proxy.domain.local/index.php?login=%a test1
> but in URL in browser I have "index.php?login=0x0.000000110cb68p-1022"
> - so, it is not my login.
>
> Is it possible to pass login the same way as it is passed to external
> acl helper?

You require 3.2 series to pass % tokens to deny_info.
It uses the same token set as the error template pages do.

>
> And - also important - is it possible to use POST method insteat GET
> with deny_info.

No guarantees. That is up to the browser.

Squid 3.1+ will send a 307 status code to tell the browser that a new
location is required, with no change in the request method or details
posted. After asking the user if it is okay they should retry the new
location. So far Firefox is the only browser to support this part of
HTTP/1.1. The others all wrongly treat it the same as a 302 (sending a
GET as the followup).
There are many of us using 307 anyway where it is needed and hoping
that the browsers will get fixed soon. Please join the campaign :)

>
> Or maybe (it will simplify all) - is it some method to get %LOGIN from
> headers sent by browser (as it was said before - I use
> squid_kerb_auth). In such case I don't need to pass anything special
> with deny_info.

Yes that is the better way to do all this. You wont be passing username
un-encrypted.

Just generate the error page using a background auth check in the page
script to lookup the username from the Proxy-Authentication header
received. You could even use squid_kerb_auth to do the sub-check, all it
does for Squid is take a copy of the header line and pass back the
username on success and error message fail.

This may help:
http://wiki.squid-cache.org/Features/AddonHelpers#Negotiate_and_NTLM_Scheme

  "KK $header_content" is what squid_kerb_auth accepts,
   "AF $username" is the success reply,
   "BH $message" is the failure reply.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1

Received on Fri Apr 29 2011 - 06:53:54 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 29 2011 - 12:00:05 MDT