[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Sheflug] Squid Web Cache
(second time of sending - I posted it to .uk instead of .nz - it's the
fastest I've ever known Plusnet's smarthost get back!)
Ok, here's the DM-patent solution for cheap and cheerful squid
authentication.
..and before anyone moans about the PERL, I'm a structured programming
freak, OK?!?!?!
Firstly... put this line in squid.conf:
authenticate_program /usr/sbin/squidauth
..it's usually commented out but in there somewhere
and this is /usr/sbin/squidauth
#!/usr/bin/perl
# squid proxy server authentication
# accepts a user name and clear text password on STDIN,
# validates against /etc/squiduser and returns either
# OK or ERR depending on the match
($user,$password) = split(' ', <STDIN>);
unless (open(SQUIDUSER, '/etc/squiduser')) {
print "ERR\n"; exit;
}
# work out the current time. We can lock users out at authentication
# depending on status / time
# 'w' are locked out between 20:00 and 07:00
# 'o' are permitted any time
# 'm' are supervisor users permitted any time
# The 'm' supervisor users can set up and withdraw other users. The
# same file is used to authenticate for maintenance purposes
#
($sec,$min,$hour) = localtime;
$authentic = "";
&authenticate;
if ($authentic eq "") {
print "ERR\n";
} elsif (($authentic eq "m") || ($authentic eq "o")) {
print "OK\n";
} elsif ($authentic eq "w") {
if (($hour >= 20) || ($hour < 7)) {
print "ERR\n";
} else {
print "OK\n";
}
}
sub authenticate {
while (<SQUIDUSER>) {
chomp;
($testuser,$testpass,$usertype) = split(/:/);
if (($testuser eq $user) && ($testpass eq $password)) {
$authentic = $usertype;
return;
}
}
}
Finally, you'll need a /etc/squiduser file. If you haven't spotted already,
it's a plain text file with one user per line, colon delimited. The first
field is username, the second field is password (unencrypted - sorry!), and
in our implementation, the third field is user class. Obviously, you can
set up the user classes to do whatever you want. Just extend the 'elsif'
construct above. I've also got a PHP script that allows maintenance of this
file from a browser. It's simple - it slurps the whole thing in, edits it
and regurgitates the complete file again. It would be very inefficient for
many users, but for the couple of hundred or so I have, it's no problem.
Let me know how you get on.
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.