Hi Jeffries!
I created my own script auth_basic. This script checks the username and
password, if correct it inserts the username and date in the table
sessions and returns OK login = username for squid.
I also created one helper with ttl = 60. This helper takes the username
and password and check the sessions table if the field ip is empty. If
not empty he updates the field.
The problem is that when it spends 60 seconds a request is sent to the
helper with %LOGIN empty, as the helper does not identify the username
and return ERR to squid then open the popup window again.
Can you help?
Thanks!
Em 14/08/2013 20:21, Amos Jeffries escreveu:
> On 2013-08-13 07:55, Oliveiros Peixoto (Netinho) wrote:
>> Hi Michael!
>>
>> I need that user auth with popup browser.
>>
>
> Please note a few things:
> * IP address is neither a user name nor a password. Basic
> authentication does not contain the concept of domain which an IP
> address could be twisted into fitting.
>
> * on the modern Internet a single user may have multiple IP addresses.
> Thanks to "privacy addressing" they *do* use a multitude of IP across
> any time period even if they are using the same browser. Forcing a
> browser popup and re-authentication every couple of minutes (once per
> 15-30 minutes by default in Windows Vista or later) is *not* providing
> your users with a pleasant experience.
>
> * the auth_param helpers input format is strictly limited for security
> reasons. It is not arbitrary or aged code limits. The access controls
> security limiting users by IP address count, connection count, user
> groups (surprise!), and user reporting are completely broken if each
> username+IP+password combination is treated as a unique user login by
> the helper.
>
>
> In response to your complaint about the popup. The external ACL using
> %LOGIN *do* trigger an authentication challenge with the browser if it
> returns "ERR" to Squid and the ACL using it is placed on a
> "http_access deny ..." line.
> This is annoying to some since Squid blindly assumes it was the %LOGIN
> credentials which were the problem, but since you are saying that is
> what you want there should be no problem. Use it as you would an ACL
> of type proxy_auth.
>
> Have your auth_param helper return OK if the user+password details are
> a valid pairing - this is the validation / 'authentication' part -
> (the basic_db_auth helper provided with Squid should be fine).
> Then the external ACL helper return OK and do the actual DB login
> update only if the username+password+IP triplet is acceptible - this
> is the authorization / permission part.
>
> Amos
>
>> Em 13/08/2013 11:24, Michael Graham escreveu:
>>> On Tue, 2013-08-13 at 11:12 -0300, Oliveiros Peixoto (Netinho) wrote:
>>>> I need get ip address of user in my own auth basic script. Exist some
>>>> method to pass that can i get the ip?
>>>> My auth basic getting the username and password and check in mysql
>>>> table, if ok, he will write in other table the username and ip address
>>>> of user. How can work with this?
>>> You probably want to have a read of
>>>
>>> http://wiki.squid-cache.org/Features/AddonHelpers
>>>
>>> and
>>>
>>> http://www.squid-cache.org/Doc/config/external_acl_type/
>>>
>>> You basically want to add the following to the squid.conf
>>>
>>> external_acl_type <name> %LOGIN %SRC <your script>
>>>
>>> Your script will then receive the source ip and username on standard
>>> in.
>>> You can then reply ERR or OK on standard out.
>>>
>>> Cheers,
Received on Fri Aug 16 2013 - 18:02:43 MDT
This archive was generated by hypermail 2.2.0 : Mon Aug 19 2013 - 12:00:25 MDT