[squid-users] Delay Pools with Digest and External Auth

From: Nils Hügelmann <nils_at_huegelmann.info>
Date: Sat, 11 May 2013 22:03:40 +0200

Hi,

I want to use both Digest Auth and External Auth ("simpleheaderauth")
for authentification, and need to assign different delay pools to single
users based on another external_acl (premiumcheck).

So i have (stripped down for readibility)

-----------------
external_acl_type simpleheaderauth %>{Proxy-Authorization} simpleauth
external_acl_type premiumcheck %>{Proxy-Authorization} premium
auth_param digest program digestauth

acl proxyauth proxy_auth REQUIRED
acl simpleheaderauth_passed external simpleheaderauth
acl premiumcheck_passed external premiumcheck

# activate additional external acls
http_access allow premiumcheck_passed !all
http_access allow freethrottled_passed !all

http_access allow simpleheaderauth_passed
http_access allow proxyauth
http_access deny !proxyauth

http_access deny all
-----------------

Which works fine in regards to access control, one can either login via
"simpleheaderauth" (external_acl) or via "digestauth" (auth_param).

I want to have 2 bandwidth limit levels.

Situation from here is as follows:

When using simpleheaderauth:
 - EXT_USER is available (username passed from simpleheaderauth
external_acl)
 - Tag is available (tag passed from simpleheaderauth external_acl)
 - premiumcheck_passed is properly set

When using digestauth:
 - LOGIN is available (username passed from auth_param)
 - Tag is not available
 - premiumcheck_passed is not usable

Delay pools need to work per individual user, so only class 5 pools (
tagrate ) or class 4 pools ( aggregate, network, individual, user )
would be possible.

As simpleheaderauth has no user defined, and digestauth has no tag, my
first attempt for delay_pools was to create 2 sets of pools with 2
classes each:

-----------------
delay_class 1 5
delay_class 2 5
delay_class 3 4
delay_class 4 4

# 1st set for simpleheaderauth
delay_parameters 2 2097152/2097152
delay_access 2 allow simpleheaderauth_passed premiumcheck_passed

delay_parameters 1 76800/76800
delay_access 1 deny premiumcheck_passed
delay_access 1 allow simpleheaderauth_passed

# 2nd set for digestauth
delay_parameters 4 -1/-1 -1/-1 -1/-1 2097152/2097152
delay_access 4 allow premiumcheck_passed

delay_parameters 3 -1/-1 -1/-1 -1/-1 76800/76800
delay_access 3 deny premiumcheck_passed
delay_access 3 allow all
-----------------

1. Can one somehow simplify this by making Tag available for digest, or
making class 4 username available for external_acl?

2. The problem with my attempt is that premiumcheck_passed is not
evaluated when usind digestauth. Every digestauth user is assigned to
pool 3, while simpleheaderauth users are properly assigned based on
premiumcheck_passed. How can i solve this?

Thanks

Nils Hügelmann
Received on Sat May 11 2013 - 20:03:41 MDT

This archive was generated by hypermail 2.2.0 : Mon May 13 2013 - 12:00:05 MDT