[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Sheflug] Squid Web Cache
I got the scripts in place , and have altered the squid.conf file to have
the correct path in authenticate_program
I created a squiduser file in /etc
that looks like
username:password:m
That bit seems OK as I can go perl /usr/sbin/squidauth
then enter username password and i get OK or ERR depending if the password
was correct or not.
In the squid.conf i put an acl
acl test proxy_auth REQUIRED
and a bit further down
http_access test allow
Now when I fire up a browser I get a box asking for a username and password
-- BUT whatever i type in the boxes i get an access denied
Any thoughts?
-----Original Message-----
From: David Morris
To: sheflug [at] vuw.ac.nz
Sent: 8/3/2001 3:03 PM
Subject: RE: [Sheflug] Squid Web Cache
(second time of sending - I posted it to .uk instead of .nz - it's the
fastest I've ever known Plusnet's smarthost get back!)
Ok, here's the DM-patent solution for cheap and cheerful squid
authentication.
.and before anyone moans about the PERL, I'm a structured programming
freak, OK?!?!?!
Firstly... put this line in squid.conf:
authenticate_program /usr/sbin/squidauth
.it's usually commented out but in there somewhere
and this is /usr/sbin/squidauth
#!/usr/bin/perl
# squid proxy server authentication
# accepts a user name and clear text password on STDIN,
# validates against /etc/squiduser and returns either
# OK or ERR depending on the match
($user,$password) = split(' ', <STDIN>);
unless (open(SQUIDUSER, '/etc/squiduser')) {
print "ERR\n"; exit;
}
# work out the current time. We can lock users out at authentication
# depending on status / time
# 'w' are locked out between 20:00 and 07:00
# 'o' are permitted any time
# 'm' are supervisor users permitted any time
# The 'm' supervisor users can set up and withdraw other users. The
# same file is used to authenticate for maintenance purposes
#
($sec,$min,$hour) = localtime;
$authentic = "";
&authenticate;
if ($authentic eq "") {
print "ERR\n";
} elsif (($authentic eq "m") || ($authentic eq "o")) {
print "OK\n";
} elsif ($authentic eq "w") {
if (($hour >= 20) || ($hour < 7)) {
print "ERR\n";
} else {
print "OK\n";
}
}
sub authenticate {
while (<SQUIDUSER>) {
chomp;
($testuser,$testpass,$usertype) = split(/:/);
if (($testuser eq $user) && ($testpass eq $password)) {
$authentic = $usertype;
return;
}
}
}
Finally, you'll need a /etc/squiduser file. If you haven't spotted
already,
it's a plain text file with one user per line, colon delimited. The
first
field is username, the second field is password (unencrypted - sorry!),
and
in our implementation, the third field is user class. Obviously, you
can
set up the user classes to do whatever you want. Just extend the 'elsif'
construct above. I've also got a PHP script that allows maintenance of
this
file from a browser. It's simple - it slurps the whole thing in, edits
it
and regurgitates the complete file again. It would be very inefficient
for
many users, but for the couple of hundred or so I have, it's no problem.
Let me know how you get on.
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.