Re: [squid-users] Delay Pools with Digest and External Auth

On 12/05/2013 8:03 a.m., Nils Hügelmann wrote:
> Hi,
>
> I want to use both Digest Auth and External Auth ("simpleheaderauth")
> for authentification, and need to assign different delay pools to single
> users based on another external_acl (premiumcheck).
>
> So i have (stripped down for readibility)
>
> -----------------
> external_acl_type simpleheaderauth %>{Proxy-Authorization} simpleauth
> external_acl_type premiumcheck %>{Proxy-Authorization} premium
> auth_param digest program digestauth
>
> acl proxyauth proxy_auth REQUIRED
> acl simpleheaderauth_passed external simpleheaderauth
> acl premiumcheck_passed external premiumcheck
>
> # activate additional external acls
> http_access allow premiumcheck_passed !all
> http_access allow freethrottled_passed !all
>
> http_access allow simpleheaderauth_passed
> http_access allow proxyauth
> http_access deny !proxyauth
>
> http_access deny all
> -----------------
>
> Which works fine in regards to access control, one can either login via
> "simpleheaderauth" (external_acl) or via "digestauth" (auth_param).
>
> I want to have 2 bandwidth limit levels.
>
> Situation from here is as follows:
>
> When using simpleheaderauth:
> - EXT_USER is available (username passed from simpleheaderauth
> external_acl)
> - Tag is available (tag passed from simpleheaderauth external_acl)
> - premiumcheck_passed is properly set
>
> When using digestauth:
> - LOGIN is available (username passed from auth_param)
> - Tag is not available
> - premiumcheck_passed is not usable
>
> Delay pools need to work per individual user, so only class 5 pools (
> tagrate ) or class 4 pools ( aggregate, network, individual, user )
> would be possible.
>
> As simpleheaderauth has no user defined, and digestauth has no tag, my
> first attempt for delay_pools was to create 2 sets of pools with 2
> classes each:
>
> -----------------
> delay_class 1 5
> delay_class 2 5
> delay_class 3 4
> delay_class 4 4
>
> # 1st set for simpleheaderauth
> delay_parameters 2 2097152/2097152
> delay_access 2 allow simpleheaderauth_passed premiumcheck_passed
>
> delay_parameters 1 76800/76800
> delay_access 1 deny premiumcheck_passed
> delay_access 1 allow simpleheaderauth_passed
>
> # 2nd set for digestauth
> delay_parameters 4 -1/-1 -1/-1 -1/-1 2097152/2097152
> delay_access 4 allow premiumcheck_passed
>
> delay_parameters 3 -1/-1 -1/-1 -1/-1 76800/76800
> delay_access 3 deny premiumcheck_passed
> delay_access 3 allow all
> -----------------
>
> 1. Can one somehow simplify this by making Tag available for digest, or
> making class 4 username available for external_acl?

I have work lined up on the TODO list for implementing tag on auth
interfaces in the next Squid versions.
If you are able to assist with sponsoring that I can divert some time
back towards it.

However, ...

Alternative #1:
  * make your simple and premium helper lookups produce tags indicating
those levels.
  * create a dummy external ACL helper lookup test which always responds
"OK tag=digest-auth". Call it only after proxyauth ACL has succeeded
doing digest.

eg:
   external_acl_type digestauth %LOGIN basic_fake_auth
   acl digest_tagger external digestauth

   http_access allow proxyauth digest_tagger

You can then use "tag" type ACLs for delay_access.

> 2. The problem with my attempt is that premiumcheck_passed is not
> evaluated when usind digestauth. Every digestauth user is assigned to
> pool 3, while simpleheaderauth users are properly assigned based on
> premiumcheck_passed. How can i solve this?

You have isolated the problem pretty accurately. It's root cause is the
mismatch between delay_access being "fast" ACL check and the tests you
are using being "slow" group ACL.

Amos
Received on Mon May 13 2013 - 00:32:47 MDT