[squid-users] Protecting squid

Ben Goz ben.goz87 at gmail.com
Wed Mar 17 13:54:25 UTC 2021 

By the help of God.


Hi Amos,

Sounds interesting.

Maybe I should modify the external_acl_type to talk with internal API 
inside my system.

Can you please point me to some code examples and documentation?

Also if you can please point me to squid code that invokes the external 
ACL program?

Thanks,

Ben

On 15/03/2021 15:27, Amos Jeffries wrote:
> On 15/03/21 2:26 am, Ben Goz wrote:
>>
>> Can I configure squid authentication TTL per only source IP and 
>> ignores other parameters so authentication will be requested only 
>> once in TTL for all the sessions?
>>
>
> Not with just authentication. You will need to use a slightly more 
> complicated system involving an external_acl_type helper as well and 
> switch to an SQL database auth system.
>
>
> The idea for that is that you have a database of authenticated users 
> with their last-known IP address.
>
>  Your auth_param helper is changed to one which takes client IP 
> address in the auth_param key_extras setting, and adds records to the 
> SQL database before telling Squid the login is OK.
>
>  Use an ext_sql_session_acl helper which takes IP address and checks 
> the database to find the username who last authenticated from there. 
> This needs to be checked and permit existing sessions before the auth 
> helper.
>
> The config looks something like this:
>
>
>   external_acl_type ipuser negative_ttl=0 ttl=7200 %<a \
>     /usr/bin/squid/ext_sql_session_acl \
>     --dsn "..." --user dbUsername --password dbPassword --persist \
>     --usercol username --uidcol ipaddress
>
>   acl user_known external ipuser
>   http_access allow user_known
>
>
>   auth_param basic program /path/to/helper
>   auth_param basic key_extras %<a
>   auth_param basic credentialsttl 2 hours
>
>   acl authenticated proxy_auth REQUIRED
>
>   http_access allow authenticated
>
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list