Re: [squid-users] external acl code examples

From: E.S. Rosenberg <esr+squid_at_g.jct.ac.il>
Date: Tue, 28 Feb 2012 15:50:20 +0200

2012/2/28 Amos Jeffries <squid3_at_treenet.co.nz>:
> On 28/02/2012 9:07 p.m., Erwann Pencreach wrote:
>>
>> Hi all,
>>
>> here is what I've done in squid.conf :
>>
>> external_acl_type loggeduser children=15 %DST %SRC
>> /etc/squid3/squid.d/loggeduser_acl.sh
>> acl isok external loggeduser
>> http_access allow isok
>>
>
> If you add an ID you can use concurrency to reduce process overheads.
>
>> and here isloggeduser_acl.sh script :
>>
>>
>> while read dst srchost;
>
>
> while read id dst srchost;
>>
>> do
>>   date=$(date +"%d/%m/%Y %H:%M:%S")
>>   authuser=$(command to get logged user on client host)
>>   if [ ! $(echo $authuser | wc -w) -eq 1 ]
>>     then
>>       echo "[KO] number of connected user differs from 1 $srchost $dst"
>>>>
>>>> /var/log/squid3/extacl.log
>>
>>       echo "ERR"
>
> echo "${id} ERR"
>
>>     else
>>       isok=$(the I check my access right)
>>       if [ $isok ]
>>         then
>>           echo "[OK]$date $authuser($accountstatus) $srchost $dst">>
>> /var/log/squid3/headers.log
>>           echo "OK user=$authuser"
>
>
> echo "${id} OK user="${authuser}"
>>
>>         else
>>           echo "[KO]$date $authuser($accountstatus) $srchost  $dst">>
>> /var/log/squid3/headers.log
>>           echo "ERR user=$authuser"
>
> echo "${id} ERR user=${authuser}"
>
> # NOTE: do you actually have authuser at this point?
>
>>         fi
>>     fi
>> done
>> exit 1
>>
>>
>
> The question that comes to my mind here is what backend you are intending to
> use this with? what authentication database/system needs you to write a
> whole new helper?
>
>
> Amos

I don't know about Erwann, but I am creating this to connect between
squid and cisco wlc, basically a script will update a MySQL db with
the user currently associated with an IP and then squid will get the
username based on the IP...
Since the user already authenticated against the WLC (which in turn
uses radius/ldap) I don't want to present them with another password
dialog so when the radius server logs a succesful authentication for
IP X by user Y the db gets updated with those details...

Thanks for the example...
Eli
Received on Tue Feb 28 2012 - 13:50:33 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 29 2012 - 12:00:06 MST