On Sun, 6 Feb 2005, Kinkie wrote:
>> The login=*:password cache_peer option comes in handy for implementing
>> this kind of scheme.
>
> Sure, but it requires a custom authenticator, or at least some kind of
> wrapper, which is certainly doable but not easy (might it be interesting
> to add something of the sort to the default package, maybe?). Also, it
> probably requires extra care when two simultaneous auth-schemes are
> involved.
The login=... cache_peer option only specified basic authentication.
Implementing the custom authenticator wrapper is easy. Here is an shell
example acting as a wrapper around any other basic authenticator to allow
the Squid to be used both by normal clients and other caches.
#!/bin/sh
if [ $# -lt 2 ]; then
echo "Usage: $0 secretpassword helper ..."
exit 1
fi
secret="$1"
shift
exec 4>&1
while read user password; do
if [ "$password" = "$secret" ]; then
echo OK >&4
else
echo "$user $password"
fi
done | "$@"
Designed to be used as
auth_param basic program /path/to/script topsecretpassword normal_helper_with_arguments
numerous other variants are possible.
Note: If the selected secret shared password for squid->squid
communication contains odd characters these must be URL-encoded in the
helper specification.
Regards
Henrik
Received on Sun Feb 13 2005 - 04:59:25 MST
This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:02 MST