[squid-users] Authorization in a different way

Amos Jeffries squid3 at treenet.co.nz
Wed Jan 13 18:34:39 UTC 2016


On 14/01/2016 6:50 a.m., Christian Kunkel wrote:
> hey amos,
> 
> maybe my english is too bad or maybe i am just not getting it. i can
> not use any kind of ip as authentication or authorization. first of
> all because of nat and second would be that the ip of a user changes
> regarding his location (mobile network).

The only mention I made of IPs was how your iptables rules need to be
more restrictive to reduce the abuse that is possible.

> 
> my understanding of ext_session_acl is or was that it uses an ip to
> create the session?! so if ip changes the session is dropped (can
> happen every 5min or when i am lucky the ip does not change for a
> couple of hours).
> 

Both session helpers we provide use the external_acl directives 'format'
field as the session key. The basic session helper only accepts one
parameter value in the format, the SQL-session helper accepts any number.

Online tutorials tend to use %SRC (IP address), our man page actually
uses %LOGIN (auth username). You will just need to use something else.
The helper does not care, its just needing a unique per-session piece of
text.

If you need more than one token to make up the key use the sql_session
helper. It also fits in better with the splash page doing "login", since
that splash page script will need to be the part doing session creation
in the DB.

Amos



More information about the squid-users mailing list