On 16/02/2013 3:23 p.m., James Harper wrote:
> On a Windows desktop there are often a bunch of system services that make http connections, either running as a system account or running as a user but that don't know how to authenticate. The list of these exceptions is tedious to maintain so it would be good to be able to authorise the users IP address once they have successfully authenticated to squid, sort of like the old style 'pop before smtp' auth used to work.
Tedious to maintain? what exactly are you listing?
I list services by approving and whitelisting destination domains.
That is no much work, as the listing only needs adapting when the first
time you encounter a service. A second, third... thousandth client
system using that service does not make any difference.
>
> If such a solution was scriptable I could also use something like netfilter ipsets to allow access on non-http ports using squid authentication.
>
> What hooks exist to allow this sort of thing?
Some Warnings first:
* Be careful with this. It is not very safe to trust an IP just because
you saw credentials from it earlier on a completely different connection.
* Clients are able to run proxy software and share their internet
connection with the world very easily these days.
* You loose all tracking of any infections or malicious software they
may be infected with.
* You loose the ability for users to share machines. User A can shut
down the machine, user B restart it and if they are fast enough the
proxy shares the session started by user A.
* the above means you loose the ability to identify which user is doing
what actions (once the IP-based session is active the credentials are
not used or logged).
Anyways....
What you want to look at is the session helper, with its active mode (-a
command line parameter).
http://www.squid-cache.org/Versions/v3/3.2/manuals/ext_session_acl.html
For example:
external_acl_type session ttl=300 %SRC
*/usr/local/squid/libexec/ext_session_acl -t 300 -a*
# allow client IPs which have already logged in earlier
acl sessionActive external session
http_access allow sessionActive
# deny anyone not logged in (triggers the login process)
acl auth proxy_auth REQUIRED
http_access deny !auth
# allow clients with login and create a session for them
acl sessionStart external session LOGIN
http_access allow auth sessionLogin
If you want to be fancy you can add the following snippet *above* the
sessionActive ACL test and setup a script which when the user logs off
their machine makes a web request (without credentials) to
http://example.com/logout . That will help avoid the session-sharing
problem provided people logout properly.
# magic logout. Visit the URL http://example.com/logout from a script
on the box to log this client out of the session when they logout or
shut down.
acl sessionLogout external session LOGOUT
acl logoutMagic url_regex ^http://example.com/logout$
http_access deny magicLogout sessionLogout
Amos
Received on Sat Feb 16 2013 - 03:26:49 MST
This archive was generated by hypermail 2.2.0 : Sat Feb 16 2013 - 12:00:05 MST