[squid-users] i hope to build web Authentication portal at Tproxy environment recenty , can you give me some advisement .
steve at opendium.com
Wed Mar 11 10:54:22 UTC 2015
On 11.03.15 10:22, johnzeng wrote:
> whether php or jquery need send user ip address to squid ? otherwise i
> worried whether squid can confirm user info
> and how to identify and controll http traffic ?
I'd do this with an external ACL - when processing a request, Squid
would call the external ACL which would do:
1. If the user is not authenticated or their "last seen" timestamp has
expired, return "ERR"
2. If the user is authenticated, update their "last seen" timestamp and
Obviously if the ACL returns ERR, Squid needs to redirect the user to
the authentication page. If the ACL returns OK, Squid needs to service
the request as normal.
The authentication page would update the database which the external ACL
Identifying the user's traffic would need to be done by MAC address or IP:
- MAC address requires a flat network with no routers between the
device and Squid.
- IP has (probably) unfixable problems in a dual-stacked network.
1. Access to the authentication page must be allowed for unauthenticated
users (obviously :)
2. Authentication should really be done over HTTPS with a trusted
3. Clients require access to some external servers to validate HTTPS
certs before they have authenticated.
4. If you want to support WISPr then (2) and (3) are mandatory.
5. External ACL caching
You might be able to do it with internal ACLs, but... pain :)
- Steve Hill
Opendium Limited http://www.opendium.com
Instant messager: xmpp:steve at opendium.com
Email: steve at opendium.com
Phone: sip:steve at opendium.com
Sales / enquiries contacts:
Email: sales at opendium.com
Phone: +44-1792-824568 / sip:sales at opendium.com
Email: support at opendium.com
Phone: +44-1792-825748 / sip:support at opendium.com
More information about the squid-users