I am trying to emulate the obsoleted option
authenticate_ip_shortcircuit_ttl using the tecnique suggested by Amos in:
http://www.squid-cache.org/mail-archive/squid-users/201201/0333.html
but with an important difference: I want to actually set the login name
in the request for subsequent processing (allow/deny and
tcp_outgoing_address selection). I am using squid version 3.2.5, and
tried with 3.4.3 as well.
I am using two external ACL helpers, one used in the very first
http_acces statement, and one just after the first auth-requiring
http_access line. I am using redis as a cache.
The first helper has format %SRC and, if found in cache, sets
"user=<username>"-
The second has format %SRC %LOGIN %EXT_LOGIN and captures valid
IP/username association, skipping the ones produced by the first script.
The second script works and I can see the cache filling up.
The first script half-works. It works in the sense that the username
gets written in access.log. It doesn't work in the sense that
authentication is actually being asked to the user again, i.e. I have
lines in access.log with TCP_DENIED/407 and the valid (and correct)
username, and from the debug I know that it is the username that I set
into the first helper.
I am missing something? Maybe setting user= with an external ACL isn't
really a good thing? I tried with helpers returning "OK
username=<url-encoded-username>" as well as "ERR
username=<url-encoded-username>".
Ideas? Is anyone actually using username= in ACL helpers?
I also tried to wrap ntlm_auth, but in the auth_param protocol there is
no IP address to be used as cache key.
Thanks in advance,
Bergonz
Received on Wed Feb 05 2014 - 17:42:25 MST
This archive was generated by hypermail 2.2.0 : Thu Feb 06 2014 - 12:00:05 MST