[squid-users] Subject: Re: authentication of every GET request from part of URL?

Sreenath BH bhsreenath at gmail.com
Sun Nov 8 13:34:30 UTC 2015 

Hi,
The application has already been designed and implemented and I have
moved to this project recently. Hence redesigning the application now
is unlikely.
Also, the video player applications (the ones we have) do not send
headers for authentication. They assume unauthenticated data is being
sent.

Is there a way for me to invoke some custom code for every request
that Squid receives? That script would do the following:

1. Extract part of the URL(the token) and look up in a database to see
if it is valid.
    If valid, proceed to lookup cached object, other wise go to
back-end fetch, etc.
2. If the token is not found in database, return with an error, so
that Squid can send back a not found type (some HTTP error) of
response.

thanks,
Sreenath


On 7/11/2015 1:33 a.m., Sreenath BH wrote:
> Hi
> I am very new to Squid, and think have a strange requirement.
> We want to serve cached content only if the client has been
> authenticated before.
> Since we don't expect the client software to send any information in
> headers, we embed a token in the URL that we present to the user.
>

Um, you know how sending username and password in plain-text Basic auth
headers is supposed to be the worst form of security around?

It's not quite. Sending credentials in the URL is worse. Even if its
just an encoded token.

Why are you avoiding actual HTTP authentication?

Why be so actively hostile to every other cache in existence?


> So when the client s/w uses this URL, we want to extract the token
> from URL and do a small database query to ensure that the token is
> valid.
>
> This is in accelerator mode.
> Is it possible to use something similar to basic_fake_auth and put my
> code there that does some database query?

The "basic_..._auth" parts of that helpers name mean that it performs
HTTP Basic authentication.

The "fake" part means that it does not perform any kind of validation.

All of the text above has been describing how you want to perform
actions which are the direct opposite of everything basic_fake_auth does.

> If the query fails, we don't return the cached content?

What do you want to be delivered instead?

Amos

More information about the squid-users mailing list