[squid-users] i hope to build web Authentication portal at Tproxy environment recenty , can you give me some advisement .
johnzeng
johnzeng2013 at yahoo.com
Wed Mar 11 13:11:42 UTC 2015
Hello Steve:
Thanks for your clear detail and advisement .
John
> On 11.03.15 10:22, johnzeng wrote:
>
>> whether php or jquery need send user ip address to squid ? otherwise i
>> worried whether squid can confirm user info
>>
>> and how to identify and controll http traffic ?
>
> I'd do this with an external ACL - when processing a request, Squid
> would call the external ACL which would do:
>
> 1. If the user is not authenticated or their "last seen" timestamp has
> expired, return "ERR"
> 2. If the user is authenticated, update their "last seen" timestamp
> and return OK.
>
> Obviously if the ACL returns ERR, Squid needs to redirect the user to
> the authentication page. If the ACL returns OK, Squid needs to
> service the request as normal.
>
> The authentication page would update the database which the external
> ACL refers to.
>
> Identifying the user's traffic would need to be done by MAC address or
> IP:
> - MAC address requires a flat network with no routers between the
> device and Squid.
> - IP has (probably) unfixable problems in a dual-stacked network.
>
> Beware that:
> 1. Access to the authentication page must be allowed for
> unauthenticated users (obviously :)
> 2. Authentication should really be done over HTTPS with a trusted
> certificate.
> 3. Clients require access to some external servers to validate HTTPS
> certs before they have authenticated.
> 4. If you want to support WISPr then (2) and (3) are mandatory.
> 5. External ACL caching
>
> You might be able to do it with internal ACLs, but... pain :)
>
More information about the squid-users
mailing list