On 30/04/11 22:46, J. Webster wrote:
>
>>
>> Something has gone wrong external ACL should not be getting the username
>> and password. It should be getting the IP address on STDIN.
>>
> Of the examples, that I can find they all talk about the username and password bewing sent from squid:
> http://www.freesoftwaremagazine.com/articles/authentication_with_squid?page=0%2C0
> How else should the script get the username and password?
> I need username, apssword, and IP address and then the script will check if the IP matches, if not, it will check the username, and password, otherwise it will reject the connection.
>
Ah, that tutorial is about writing an authentication helper (ie
ncsa_auth). Not an ACL helper.
The difference being that external_acl_type ACL helpers auth*orize* the
request permission to do something in Squid because it matches an IP
used by some username.
auth_param helpers auth*enticate* some security username:passtoken
credentials. They do not assign any permissions, just state whether the
credentials are valid/invalid.
The script I was suggesting takes only the IP and produces the username
for logging. You need some database, or AD login etc mapping which users
have been assigned which IP. The script uses that source to find the
username in the background and present it to Squid via "OK
user=$username" or "ERR" results.
The squid.conf looks something like:
external_acl_type IPUser %SRC /path/to/script
auth_param basic program /path/to/ncsa_auth
# VPN subnet intercepted with NAT
acl ipuser external IPUser
acl vpn_subnet src 192.168.1.0/24
http_access allow vpn_subnet ipuser
# regular subnet who can login
acl logIn proxy_auth REQUIRED
acl other_subnet src 192.168.2.0/24
http_access allow other_subnet logIn
# strange machines we don't know.
http_access deny all
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.7 and 3.1.12.1Received on Sat Apr 30 2011 - 12:42:06 MDT
This archive was generated by hypermail 2.2.0 : Sat Apr 30 2011 - 12:00:04 MDT