Re: [squid-users] Pass MYPORT to proxy_auth?

On 14/09/11 20:36, David Rodman wrote:
> Hi - I have an application that could really benefit from being able
> to pass the %MYPORT value to the basic authentication helper. I have
> it working now by calling my external program twice, once as the
> external proxy_auth helper, which verifies that there is at least one
> username/password combination that matches the user's supplied
> credentials, and then the second one, and acl external class that
> does receive %MYPORT and completes the authentication by verifying
> that the login info is valid for the port the user is coming in on.
>
> If I could just pass the port number to the proxy_auth external
> helper, it would cut the processing time for this in half, and make
> the whole thing a lot cleaner.
>
> So - is there any way to do that, or must I modify the source code to
> accomplish it?

Authentication validity is universal in scope. The validity test result
makes no statements about whether access is permitted or denied. An
identical request coming from different channel alters the shared
valid/invalid state for those credentials across both requests.

Altering the source will mean you have to write a whole new auth module
that handles multi-part credential indexing.

external_acl_type is capable of doing almost all of it by itself. Pass
it %LOGIN %>{Proxy-Authenticate} %MYPORT (with no proxy_auth ACL at
all). Use the "fake" Basic authenticator to get around the small problem
of needing an auth module configured.
  external ACL is indexed by the full set of keys you send to it
(credentials+port) so results are not shared and you can safely test
multiple parallel requests and allow/block independently without having
any security worries.

NP: the header is needed because we don't use or store the passwords in
Squid. Your helper will need to decode the header itself to get the
users private details.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.15
   Beta testers wanted for 3.2.0.11