Re: [squid-users] ACL to match arbitrary reply header, in-memoryfast authentication

From: Joshua Brindle <JBrindle@dont-contact.us>
Date: Tue, 05 Aug 2003 01:20:05 -0500

hrm.. spawning 2 external processes per request when thousands
of requests are going through is implausible.. the authentication thing
might be a little far fetched (and could be done externally if needed
since it would only be spawned if the header was there, although
I don't know how such an external process should work, unless
there was a daemon which stored all the logged in people, anyway) but
spawning an external acl on every single request just to check
for a header is a bit excessive, there must be an easy way to match
an arbitrary header from inside squid.

I've been looking at the existing header matching acl's, MIMEtype, referer,
browser, etc and I'm not sure how to do this without adding
headers to enum.h explicitly :(

>>> Robert Collins <robertc@squid-cache.org> 08/04/03 04:11PM >>>
On Tue, 2003-08-05 at 06:34, Joshua Brindle wrote:
> Ok, I'm not sure if this makes sense but I have some special needs
> and can't quite figure out how to implement them.

I'm a little short on time right now, but a few thoughts may help you...

firstly, the latency on an external helper, combined with squids result
caching is /unlikely/ to be an issue - when compared to typical internet
site RTT.

secondly, forms based authentication has been discussed several times
here. It's a bit of a 'brew-your-own' solution. You can do it without
altering the source: (From memory - look it up in the archives for
previous discussions).. Use a redirector (where you want to trigger
authentication) to redirect the user (remember, you can have squid fetch
the redirected page itself, preventing squid-client latency) to your
webserver with the form logic on it, saving their request (don't forget
to take care of POST data!) while you authenticate them, and then pass
them back to the original site. Make sure that access to that webserver
is also done via squid. Finally, add an external acl that you can pass
whatever cookie or url details you set in the forms authentication, and
it will provide squid with the login details. Lastly, you just use that
acl as normal in your http access rules.

lastly, checking for your X- headers is trivial via a second external
acl.

I suspect you'll find squid-3.0 much easier to accomplish this with.

Cheers,
Rob

-- 
GPG key available at: <http://members.aardvark.net.au/lifeless/keys.txt>.
Received on Tue Aug 05 2003 - 00:20:57 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:18:36 MST