Proxy authentication with external programs (ALPHA version)

Proxy authentication with external programs (ALPHA)
---------------------------------------------------

NOTE: this is ALPHA code, it is unfinished and not very well tested.

Patch relative to Squid 1.1.20:

        http://www.iae.nl/users/devet/squid/proxy_auth/proxy_auth.new

This is a further generalization of my proxy authentication code for Squid.

The authentication is moved into external 'authenticator' programs which are
allowed to block on e.g. remote lookups. The authenticate.c file is a
reworked version of the redirect.c file.

Uncomment -DUSE_PROXY_AUTH in src/Makefile before compiling. A good setting
for debug_options is "ALL,1 28,9 33,5 44,5"

New squid.conf settings:

    acl password proxy_auth [timeout]

    authenticator_program /home/squid/bin/authenticate
    authenticator_children 5

An authenticator program should behave as such:

Input:
        username cleartextpassword

Output:
        OK (in case the password was OK)
        ERR (in case the password was NOT OK)

Example for testing:

    #!/usr/bin/perl

    open(L, ">>/tmp/authenticate.log") || die "$!";
    select(L); $| = 1;
    select(STDOUT); $| = 1;

    while (<>) {
            print L;
            chop;
            ($user, $passwd) = split;
            if ($user eq "devet" && $passwd eq "test234") {
                    print "OK\n";
            } else {
                    print "ERR\n";
            }
    }
    exit(0);

A correct username/cleartextpassword is cached within Squid until
reconfigure, shutdown (of course :-), a failed proxy-authentication or
the timeout period.

TODO:

- Fix possible bugs.

- Test and clean up the code.

- Make example authenticator programs like ncsa_auth, radius_auth,
  ldap_auth, pam_auth, etc.

Arjan

-- 
Arjan de Vet, Eindhoven, The Netherlands            <Arjan.deVet@adv.IAEhv.nl>
URL: http://www.IAEhv.nl/users/devet/       for PGP key: finger devet@IAEhv.nl