[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Sheflug] Squid Web Cache



 
I got the scripts in place , and have altered the squid.conf file to have
the correct path in authenticate_program

I created a squiduser file in /etc

that looks like 

username:password:m

That bit seems OK as I can go perl /usr/sbin/squidauth
then enter username password and i get OK or ERR depending if the password
was correct or not.

In the squid.conf i put an acl

acl test proxy_auth REQUIRED

 and a bit further down

http_access test allow


Now when I fire up a browser I get a box asking for a username and password
-- BUT whatever i type in the boxes i get an access denied

Any thoughts?

-----Original Message-----

From: David Morris

To: sheflug [at] vuw.ac.nz

Sent: 8/3/2001 3:03 PM

Subject: RE: [Sheflug] Squid Web Cache



(second time of sending - I posted it to .uk instead of .nz - it's the

fastest I've ever known Plusnet's smarthost get back!)



Ok, here's the DM-patent solution for cheap and cheerful squid

authentication.



.and before anyone moans about the PERL, I'm a structured programming

freak, OK?!?!?!



Firstly... put this line in squid.conf:



authenticate_program /usr/sbin/squidauth



.it's usually commented out but in there somewhere



and this is /usr/sbin/squidauth



#!/usr/bin/perl



# squid proxy server authentication

# accepts a user name and clear text password on STDIN,

# validates against /etc/squiduser and returns either

# OK or ERR depending on the match



($user,$password) = split(' ', <STDIN>);



unless (open(SQUIDUSER, '/etc/squiduser')) {

        print "ERR\n"; exit;

}



# work out the current time. We can lock users out at authentication

# depending on status / time

# 'w' are locked out between 20:00 and 07:00

# 'o' are permitted any time

# 'm' are supervisor users permitted any time

# The 'm' supervisor users can set up and withdraw other users. The

# same file is used to authenticate for maintenance purposes

#



($sec,$min,$hour) = localtime;



$authentic = "";

&authenticate;



if ($authentic eq "") {

        print "ERR\n";

} elsif (($authentic eq "m") || ($authentic eq "o")) {

        print "OK\n";

} elsif ($authentic eq "w") {

        if (($hour >= 20) || ($hour < 7)) {

                print "ERR\n";

        } else {

                print "OK\n";

        }

}



sub authenticate {

        while (<SQUIDUSER>) {

                chomp;

                ($testuser,$testpass,$usertype) = split(/:/);

                if (($testuser eq $user) && ($testpass eq $password)) {

                        $authentic = $usertype;

                        return;

                }

        }

}



Finally, you'll need a /etc/squiduser file. If you haven't spotted

already,

it's a plain text file with one user per line, colon delimited. The

first

field is username, the second field is password (unencrypted - sorry!),

and

in our implementation, the third field is user class.  Obviously, you

can

set up the user classes to do whatever you want. Just extend the 'elsif'

construct above. I've also got a PHP script that allows maintenance of

this

file from a browser. It's simple - it slurps the whole thing in, edits

it

and regurgitates the complete file again. It would be very inefficient

for

many users, but for the couple of hundred or so I have, it's no problem.



Let me know how you get on.



---------------------------------------------------------------------

Sheffield Linux User's Group - http://www.sheflug.co.uk

To unsubscribe from this list send mail to

- <sheflug-request [at] vuw.ac.nz> - with the word 

 "unsubscribe" in the body of the message. 



  GNU the choice of a complete generation.



---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.