[squid-users] Authorization in a different way

Amos Jeffries squid3 at treenet.co.nz
Wed Jan 13 16:53:51 UTC 2016


On 14/01/2016 5:35 a.m., Christian Kunkel wrote:
> Hey guys,
> 
> i need a way to autheticate or authorize users to my squid server so
> i can create some kind of a session and drop users after x hours they
> have been using my proxy. important thing would be to create only one
> session per user. i do not have access to users network. they are
> connecting from the internet and they also have nated ips. i thought
> about the classic way with http headers but i run into problems with
> some devices. so thats useless for me. to use the ip adress is also
> not possible because it would authorize a lot of ppl at once if they
> are behind a nat. thats not what i want. i only can add a proxy
> adress and a port to the devices which are connecting. right now i am
> using a unique port for every user. then redirect the port to a
> splash screen with a login form. when login is is successfull it
> triggers an iptables-script which redirects that port to squid. but
> that means every one can actually use that port after someone
> successfully logged in.

Then your iptables script is redirecting wrong. It should only add rules
to redirect a specific src-IP / dst-port pair.

> 
> i am using squid 3.5.13 on debian 8.
> 
> some hints would be awesome. thanks in advance guys :)
> 

Use the ext_session_acl helper or ext_session_sql_acl helper with "user"
login as the session key / helper format.

If you were using HTTP authentication the key would be %LOGIN. Since you
are not it will be whatever you are using to identify the "user" within
Squid.

Amos



More information about the squid-users mailing list