Re: [squid-users] Delay Pools with Digest and External Auth

Thanks, i've made it working using a modification of your recommendations.

I summarize my solution in case others have a similar problem:

- Class 5 Delay Pools used (limit by Tag)
- External Auth helper program assigns username as EXT_TAG
- When Digest is used, there is a dummy helper that just assigns
username as EXT_TAG
- Dummy helper is activated using "http_access allow proxyauth
digest_tagger"

- Classification in multiple delay pools is done via other external_auth
ACLs
- These external_auths are activated (to circumvent slow/fast acl
issues) using "http_access allow EXTACLNAME !all"
- These external_auths need to interpret both the external_auth header
and the digest callback to get the username

Best Regards

Nils
Am 13.05.2013 02:32, schrieb Amos Jeffries:
> On 12/05/2013 8:03 a.m., Nils Hügelmann wrote:
>> Hi,
>>
>> I want to use both Digest Auth and External Auth ("simpleheaderauth")
>> for authentification, and need to assign different delay pools to single
>> users based on another external_acl (premiumcheck).
>>
>> So i have (stripped down for readibility)
>>
>> -----------------
>> external_acl_type simpleheaderauth %>{Proxy-Authorization} simpleauth
>> external_acl_type premiumcheck %>{Proxy-Authorization} premium
>> auth_param digest program digestauth
>>
>> acl proxyauth proxy_auth REQUIRED
>> acl simpleheaderauth_passed external simpleheaderauth
>> acl premiumcheck_passed external premiumcheck
>>
>> # activate additional external acls
>> http_access allow premiumcheck_passed !all
>> http_access allow freethrottled_passed !all
>>
>> http_access allow simpleheaderauth_passed
>> http_access allow proxyauth
>> http_access deny !proxyauth
>>
>> http_access deny all
>> -----------------
>>
>> Which works fine in regards to access control, one can either login via
>> "simpleheaderauth" (external_acl) or via "digestauth" (auth_param).
>>
>> I want to have 2 bandwidth limit levels.
>>
>> Situation from here is as follows:
>>
>> When using simpleheaderauth:
>> - EXT_USER is available (username passed from simpleheaderauth
>> external_acl)
>> - Tag is available (tag passed from simpleheaderauth external_acl)
>> - premiumcheck_passed is properly set
>>
>> When using digestauth:
>> - LOGIN is available (username passed from auth_param)
>> - Tag is not available
>> - premiumcheck_passed is not usable
>>
>> Delay pools need to work per individual user, so only class 5 pools (
>> tagrate ) or class 4 pools ( aggregate, network, individual, user )
>> would be possible.
>>
>> As simpleheaderauth has no user defined, and digestauth has no tag, my
>> first attempt for delay_pools was to create 2 sets of pools with 2
>> classes each:
>>
>> -----------------
>> delay_class 1 5
>> delay_class 2 5
>> delay_class 3 4
>> delay_class 4 4
>>
>> # 1st set for simpleheaderauth
>> delay_parameters 2 2097152/2097152
>> delay_access 2 allow simpleheaderauth_passed premiumcheck_passed
>>
>> delay_parameters 1 76800/76800
>> delay_access 1 deny premiumcheck_passed
>> delay_access 1 allow simpleheaderauth_passed
>>
>> # 2nd set for digestauth
>> delay_parameters 4 -1/-1 -1/-1 -1/-1 2097152/2097152
>> delay_access 4 allow premiumcheck_passed
>>
>> delay_parameters 3 -1/-1 -1/-1 -1/-1 76800/76800
>> delay_access 3 deny premiumcheck_passed
>> delay_access 3 allow all
>> -----------------
>>
>> 1. Can one somehow simplify this by making Tag available for digest, or
>> making class 4 username available for external_acl?
>
> I have work lined up on the TODO list for implementing tag on auth
> interfaces in the next Squid versions.
> If you are able to assist with sponsoring that I can divert some time
> back towards it.
>
> However, ...
>
> Alternative #1:
> * make your simple and premium helper lookups produce tags indicating
> those levels.
> * create a dummy external ACL helper lookup test which always
> responds "OK tag=digest-auth". Call it only after proxyauth ACL has
> succeeded doing digest.
>
> eg:
> external_acl_type digestauth %LOGIN basic_fake_auth
> acl digest_tagger external digestauth
>
> http_access allow proxyauth digest_tagger
>
> You can then use "tag" type ACLs for delay_access.
>
>
>> 2. The problem with my attempt is that premiumcheck_passed is not
>> evaluated when usind digestauth. Every digestauth user is assigned to
>> pool 3, while simpleheaderauth users are properly assigned based on
>> premiumcheck_passed. How can i solve this?
>
> You have isolated the problem pretty accurately. It's root cause is
> the mismatch between delay_access being "fast" ACL check and the tests
> you are using being "slow" group ACL.
>
> Amos
Received on Sat May 18 2013 - 20:11:11 MDT