Re: [squid-users] 2 squid on the same server

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 01 May 2011 14:44:52 +1200

On 01/05/11 05:00, J. Webster wrote:
>
>> Ah, that tutorial is about writing an authentication helper (ie
>> ncsa_auth). Not an ACL helper.
>>
>> The difference being that external_acl_type ACL helpers auth*orize* the
>> request permission to do something in Squid because it matches an IP
>> used by some username.
>>
>> auth_param helpers auth*enticate* some security username:passtoken
>> credentials. They do not assign any permissions, just state whether the
>> credentials are valid/invalid.
>>
>>
>> The script I was suggesting takes only the IP and produces the username
>> for logging. You need some database, or AD login etc mapping which users
>> have been assigned which IP. The script uses that source to find the
>> username in the background and present it to Squid via "OK
>> user=$username" or "ERR" results.
>>
>>
>> The squid.conf looks something like:
>>
>> external_acl_type IPUser %SRC /path/to/script
>>
>> auth_param basic program /path/to/ncsa_auth
>>
>> # VPN subnet intercepted with NAT
>> acl ipuser external IPUser
>> acl vpn_subnet src 192.168.1.0/24
>> http_access allow vpn_subnet ipuser
>>
>> # regular subnet who can login
>> acl logIn proxy_auth REQUIRED
>> acl other_subnet src 192.168.2.0/24
>> http_access allow other_subnet logIn
>>
>> # strange machines we don't know.
>> http_access deny all
>>
> Right...sorry, can I leave the VPN out for the moment because I'm confusing myself with the setup.
> So, the current setup uses ncsa_auth. I need to add a secondary authentication mechanism, which checks the external IP address but does not require a username or password.
> From what we've said I cannot add 2 mechanisms so I need to pass the auth to a script that can check the IP address. If the IP address does not equal 200.212.34.45 then I need to pass the script a username and password pair, which it can check against the existing ncsa_auth squid_passwd file.
> Users accesses proxy, if IP=200.212.34.45 OK, else if username:password=squid_passwd file OK, else ERR.
> Do I even need a script for that or can I simply add acl other_subnet src 200.212.34.45 to the existing conf?

That was what this bit of squid.conf does:
   http_access allow other_subnet logIn

ie.
If IP is in 'other_subnet' {
   if auth is OK then ALLOW
   else skip to next line
}

(logIn only challenges and fetches auth if it is tested, it is only
tested when the IP is in 'other_subnet').

>
> Current conf:
> auth_param basic realm MySquid proxy server
> auth_param basic credentialsttl 2 hours
> auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd
> authenticate_cache_garbage_interval 1 hour
> authenticate_ip_ttl 2 hours
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 1863 # MSN messenger
> acl ncsa_users proxy_auth REQUIRED
> acl maxuser max_user_ip -s 2
> acl CONNECT method CONNECT
> http_access deny manager
> http_access allow ncsa_users

Remove ncsa_users from here...

> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost

Add it back in here with the subnet ACL as I demoed earlier (adjusted
for your actual subnet of course).

NP: you should not notice any difference in proxy behaviour the current
config with just this change. It is just shuffling prep for the other
change.

> http_access deny maxuser
> http_access allow localhost
> http_access deny all
> icp_access allow all
> http_port 8080
> http_port xx.xxx.xxx.198:80
> hierarchy_stoplist cgi-bin ?
> cache_mem 100 MB
> maximum_object_size_in_memory 50 KB
> cache_replacement_policy heap LFUDA
> cache_dir aufs /var/spool/squid 40000 16 256
> #cache_dir null /null
> maximum_object_size 50 MB
> cache_swap_low 90
> cache_swap_high 95
> access_log /var/log/squid/access.log squid
> cache_log /var/log/squid/cache.log
> cache_store_log none
> buffered_logs on
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> quick_abort_min 0 KB
> quick_abort_max 0 KB
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> half_closed_clients off
> visible_hostname MySquidProxyServer
> log_icp_queries off
> dns_nameservers 208.67.222.222 208.67.220.220
> hosts_file /etc/hosts
> memory_pools off
> forwarded_for off
> client_db off
> coredump_dir /var/spool/squid
> delay_pools 1
> delay_class 1 2
> delay_parameters 1 -1/-1 125000/125000
>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1
Received on Sun May 01 2011 - 02:44:59 MDT

This archive was generated by hypermail 2.2.0 : Sun May 01 2011 - 12:00:05 MDT