Re: [squid-users] Squid Newbie- Some basic questions about Squid

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 24 May 2013 19:19:27 +1200

On 23/05/2013 8:47 p.m., arvind_at_dievssoftware.com wrote:
> p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph { margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; } p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst, p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle, p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast { margin-top:0in; margin-right:0in; margin-bottom:0in; margin-left:.5in; margin-bottom:.0001pt; line-height:115%; }
>
> Hi
>
> I am very new to Squid and have a particular use case in mind for it.
>
> Having said that, I would be grateful if any one could clarify the following for me--
>
> (1) From what I have seen, Squid can be used to authenticate a user- for eg against a database. Now, can such authentication be done against a remote database? (Not on same server)

Yes.

> (2) Also, can I set the duration for which this authentication is valid-- after which user has to log in again? (Even if he forgets to log out)?
To some degree. HTTP requires credentials to be delivered on every
request over the wire. But there are several levels of caching
optionally involved, at the browser, the proxy, the helper and the auth
backend system - whatever that is. Squid auth_param credentialsttl
option sets the TTL for proxy caching.
http://www.squid-cache.org/Doc/config/auth_param/

> (3) If user has to manually log out every time- but forgets to do so-- can I create a plugin/ force Squid to manually clear that user’s session data→ so that its like enforced logout after some time period(but its done manually rather than automatically)? How do I create such a plugin?

There is no such thing as a session in HTTP protocol. Sessions are a
feature of browser and server statefulness. HTTP itself is stateless.

> (4) If user is accessing the Squid proxy from one IP address and one browser and has logged in successfully. Now he opens another browser on same computer→ ie from same IP he accesses that proxy server-- will he have to login again (with new browser- ie normal behaviour which is expected)- or will he be automatically logged in from every browser on that IP (ie that PC)?

That depends on the software outside of Squid. All Squid does is relay
authentication details between client and the auth backend(s), offering
clients with no credentials a list of the backend types.

> (5) Is there some way to stylize the Squid login box? Instead of the default box that pops up? How do I do this?
There is no Squid login box. GUI is a browser feature.

Unless you are talking about HTML forms "login", which is all happening
at a level which is unrelated to HTTP authentication entirely. Squid is
not involved there at all.

> (6) Now, suppose a user has logged in. I want to implement this logic within squid itself-- Squid should now check if there is a page at http://somedomain.com/page.html → if this page exists then Squid redirects that request to the page above-- however if the page does not exist at http://somedomain.com/page.html%e2%86%92 in that case Squid redirects to another URL). Is such conditional redirection possible?

Use an http_status type ACL in http_reply_access to check for the 404
status code, and a deny_info to alter the payload returned when that ACL
matches.

Why you would want an already logged in user, to be faced with a
re-login if they happened to typo an URL is beyond me. It seems

BTW: Verisign already tried doing conversion of non-existence codes to
redirect codes, albeit at the DNS level with non-existing domains ending
in .com. There were a *massive* amounts of problems created as side
effects which proved conclusively how important the non-existence code
is to technology (binary would not exist without any zeros for example).
A fair bunch of those side effects were on HTTP applications and will
also occur if you alter any of the 4xx and 5xx status without the proxy
fixing the problem (Squid can re-try alternatives in some 5xx status for
example to produce a 200).

> (7) Another query-- can the same Squid server first check the URL which is requested-- and depending on some parameters in the URL→ either direct the URL to some destination without any authentication? But for some other types of requested URLs(with some specific types / values of parameters in URL)→ Squid asks for authentication? Again, for both these cases (with or without authentication) Squid should be able to apply conditional redirection (as specified in point 6).

I'm not sure by what you means by "check the URL". Squid is aware of the
URL at all stages of processing once parsing is complete.

Amos
Received on Fri May 24 2013 - 07:19:36 MDT

This archive was generated by hypermail 2.2.0 : Fri May 24 2013 - 12:00:48 MDT