[squid-users] Writing username= from external_acl helper

From: Michele Bergonzoni <bergonz_at_labs.it>
Date: Wed, 05 Feb 2014 18:42:17 +0100

I am trying to emulate the obsoleted option
authenticate_ip_shortcircuit_ttl using the tecnique suggested by Amos in:

http://www.squid-cache.org/mail-archive/squid-users/201201/0333.html

but with an important difference: I want to actually set the login name
in the request for subsequent processing (allow/deny and
tcp_outgoing_address selection). I am using squid version 3.2.5, and
tried with 3.4.3 as well.

I am using two external ACL helpers, one used in the very first
http_acces statement, and one just after the first auth-requiring
http_access line. I am using redis as a cache.

The first helper has format %SRC and, if found in cache, sets
"user=<username>"-

The second has format %SRC %LOGIN %EXT_LOGIN and captures valid
IP/username association, skipping the ones produced by the first script.

The second script works and I can see the cache filling up.

The first script half-works. It works in the sense that the username
gets written in access.log. It doesn't work in the sense that
authentication is actually being asked to the user again, i.e. I have
lines in access.log with TCP_DENIED/407 and the valid (and correct)
username, and from the debug I know that it is the username that I set
into the first helper.

I am missing something? Maybe setting user= with an external ACL isn't
really a good thing? I tried with helpers returning "OK
username=<url-encoded-username>" as well as "ERR
username=<url-encoded-username>".

Ideas? Is anyone actually using username= in ACL helpers?

I also tried to wrap ntlm_auth, but in the auth_param protocol there is
no IP address to be used as cache key.

Thanks in advance,
                                        Bergonz
Received on Wed Feb 05 2014 - 17:42:25 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 06 2014 - 12:00:05 MST