[squid-users] help with helper

[Amos Jeffries]

On 4/09/19 1:13 am, jmperrote wrote:
> Hello Amos, yes but how can I identified that is on the first request ??
> 

It will be first? but what does first actually mean?
  first this year? first today? first this second?

HTTP is stateless. There is no concept of "second request" etc. outside
of feature which are *not* related to users or useful to you here.

_Every_ request that your config requires credentials to accept, needs
credentials provided or will get a 401/407 response. That is just how
auth works in HTTP. There are likely many of those which are handled by
the Browser without any popup at all.
 To Squid there is no difference between request 1 without credentials
and request 2 without credentials.


> Else squid request to autentificate and later when invoque the helper
> again request to autentificate.

Every time Squid is handed never-before-seen credentials the helper will
be asked to check them.

Every time Squid is handed credentials that are apparently expired, the
helper will be asked to check them.


> 
> I handle recover the user from squid cache (cachmanager) on the helper,
> for asking if the user previous exist, but squid refresh cache and users
> disapearing time to time.

Yes. Computers do not have infinite memory. Things that are clearly
obsolete are thrown away after a reasonable time.


To make credentials stick around longer you can do two things;

 1) increase their TTL. The longer they are considered valid the longer
they are retained as possibly useful.

 Pros: they stick around. Less CPU load on the auth system.

 Cons: they stick around. Increased memory usage. Reduced ability to
change passwords. Reduced ability to kick malicious users off the proxy
by disabling hacked credentials.


 2) increase the garbage collection interval Squid uses. This keeps
obsolete logins around longer.

 Pros: more known logins.

 Cons: more memory used storing logins.


Both have the possibility/risk that users "login session" goes longer
than you might be expecting.

For example; if set to 10hrs (one working day). A user may "logout" late
one night, then re-login early the next day (9hrs of sleep later) and be
seen by Squid as having continued the same login started yesterday.
 Even 2hrs is too long to cover lunch breaks etc.
 Up to you of course, just consider what type of activities may be
problematic for your system for any given time range.

> 
> The exact question is: how to know is the user is previous logued, so
> the helper just validate user/password 

Yes.

> and later ALLOW to continue.
> 

No.

Authentication vs Authorization. There is a thin difference, but it is
very important to understanding these things going on.

The auth helper only does Authentication - checking that credentials are
*correct*.

Squid ACLs do the Authorization - allow/deny actions. Which may (or not)
be based on whether credentials are correct / authenticated.



HTH
Amos