Re: [squid-users] Squid auth question

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 09 Jan 2013 00:11:32 +1300

On 8/01/2013 3:26 a.m., Grooz, Marc (regio iT) wrote:
> Hi ,
>
> i've got a question about a external_acl. We use an own external helper
> to check if a user is in a particular group and then assign a special
> outgoing ip address.
>
> Here is an example:
>
> external_acl_type HELPER ttl=3600 negative_ttl=300 children=10
> concurrency=0 cache=0 grace=0 protocol=2.5 %SRC /path/to/helper
>
> acl group1 external HELPER group1
> acl group2 external HELPER group2
>
> http_access allow group1
> tcp_outgoing_address 1.2.3.4 group1
>
> http_access allow group2
> tcp_outgoing_address 1.2.3.5 group2
>
> In the helper protocol I notice that squid try to reauthenticate User
> that belongs to group2 every 10 minutes in group1, even when they
> already allowed in group2. Is there an option that squid tell to
> remember successful authentications?

There is no authentication taking pace above. Only authorization for
requests to be served by Squid using one of two IPs.

Why not have the helper checking which group they are part of and
tagging the request?

The helper gets passed the IP and both groups and in onel lookup returns
"OK tag=group1" or "OK tag=group2"

Making the ACLs these:

   acl groups external HELPER group1 group2
   acl group1 tag group1
   acl group2 tag group2

Then you adjust http_access like so:

  http_access allow groups

Amos
Received on Tue Jan 08 2013 - 11:11:41 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 08 2013 - 12:00:03 MST