[squid-users] i hope to build web Authentication portal at Tproxy environment recenty , can you give me some advisement .

johnzeng johnzeng2013 at yahoo.com
Wed Mar 11 13:11:42 UTC 2015

Hello Steve:

                     Thanks for your clear detail and advisement .


> On 11.03.15 10:22, johnzeng wrote:
>> whether php or jquery need send user ip address to squid ? otherwise i
>> worried whether squid can confirm user info
>> and how to identify and controll http traffic ?
> I'd do this with an external ACL - when processing a request, Squid 
> would call the external ACL which would do:
> 1. If the user is not authenticated or their "last seen" timestamp has 
> expired, return "ERR"
> 2. If the user is authenticated, update their "last seen" timestamp 
> and return OK.
> Obviously if the ACL returns ERR, Squid needs to redirect the user to 
> the authentication page.  If the ACL returns OK, Squid needs to 
> service the request as normal.
> The authentication page would update the database which the external 
> ACL refers to.
> Identifying the user's traffic would need to be done by MAC address or 
> IP:
>  - MAC address requires a flat network with no routers between the 
> device and Squid.
>  - IP has (probably) unfixable problems in a dual-stacked network.
> Beware that:
> 1. Access to the authentication page must be allowed for 
> unauthenticated users (obviously :)
> 2. Authentication should really be done over HTTPS with a trusted 
> certificate.
> 3. Clients require access to some external servers to validate HTTPS 
> certs before they have authenticated.
> 4. If you want to support WISPr then (2) and (3) are mandatory.
> 5. External ACL caching
> You might be able to do it with internal ACLs, but... pain :)

More information about the squid-users mailing list