Re: [squid-users] Re: external acl code examples

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 06 May 2012 11:09:31 +1200

On 6/05/2012 10:55 a.m., Amos Jeffries wrote:
> On 6/05/2012 8:09 a.m., E.S. Rosenberg wrote:
>> 2012/5/3 Eliezer Croitoru<eliezer_at_ngtech.co.il>:
>>> On 02/05/2012 14:53, E.S. Rosenberg wrote:
>>>> 2012/5/2 E.S. Rosenberg<esr_at_g.jct.ac.il>:
>>>>> Hi,
>>>>> I just thought I'd share the script I have for the squid side, maybe
>>>>> someone finds it useful.
>>>>> I wrote in PHP because I wanted to use prepared statements and am
>>>>> most
>>>>> familiar with PDO.
>>>>>
>>>>> Now my logs have usernames but squid does not allow me to make
>>>>> proxy_auth acls since I have no auth mechanism configured (this
>>>>> particular squid instance is a museum piece - 2.6, soon to be
>>>>> replaced), if this issue also exists in squid 3.1 then how would I
>>>>> control users based on a username returned through an external ACL?
>>>>>
>>>>> Thanks,
>>>>> Eli
>>>> I stuck the script on my server, that makes an easier read then from
>>>> inside a mail:
>>>> http://kotk.nl/verifyIP.phps
>>>>
>>>> Hope that helps,
>>>> Eli
>>>>
>>> i saw your external_acl app and it seems very nice.
>>> i wrote another one on ruby that seems almost like that(a mimic for
>>> practice).
>>> and i was wondering about how do you plan to implement the
>>> proxy_auth acls?
>>> using AD? some other DB?
>> I am not usre I follow, do you mean how I intend to manage my lists of
>> usernames?
>> In that case I am pushing for the use of LDAP properties, then a
>> script will run every X time, determine whether or not the LDAP
>> database was changed since the last update (based on change
>> timestamps) and generate lists of usernames.
>> Currently we don't have a good way of managing this, I have some
>> sctipts that work based on the location of a user in our organization
>> but that is not always correct.
>>> you mentioned something about the network infrastructure\CISCO if i
>>> remember
>>> right.
>> Yes, the link of IP->username is generated based on the radius logs of
>> the server that provides authentication for the wireless.
>>
>> However as said squid tells me that since I have no auth-mechanism
>> fully setup I can't use proxy_auth lists so I wonder how can I use the
>> username I provided in the external acl in the rest of squid?
>
> It is just a label to Squid. Authentication happened outside with no
> internal state other than teh external_acl_type format key to link it
> to anything. It can be used in logging with %eo log tag, or passed to
> other proxies as HTTP auth login with cache_peer login= option.

Oops sorry %ue tag, not %eo.

Amos
Received on Sat May 05 2012 - 23:09:35 MDT

This archive was generated by hypermail 2.2.0 : Sun May 06 2012 - 12:00:03 MDT