[squid-users] IP based user identification/authentication

[Amos Jeffries]

On 7/12/23 15:34, Andrey K wrote:
> Hello,
> 
> I was interested if I can configure some custom external helper that 
> will be called before any authentication helpers and can perform user 
> identification/authentication based on the client src-IP address.

Well, yes and no.



The order of authentication and authorization helpers is determined by 
what order you configure http_access tests.

So "yes" in that you can call it before authentication, and have it tell 
you what "user" it *thinks* is using that IP.


However, ...

> It can look up in the external system information about the user logged 
> in to the IP address and return the username and some annotation 
> information on success.

Users do not "log into IP address" and ...


> If the user has been identified, no subsequent authentications are required.
> Identified users can be authorized later using standard squid mechanisms 
> (for example, ldap user groups membership).
> 
> This feature can be especially useful in "transparent" proxy 
> configurations where 407-"Proxy Authentication Required" response code 
> is not applicable.


... with interception the user agent is not aware of the proxy 
existence. So it *will not* provide the credentials necessary for 
authentication. Not to the proxy, nor a helper.

So "no".

This is not a way to authenticate. It is a way to **authorize**. The 
difference is very important.

For more info lookup "captive portal" on how this type of configuration 
is done and used.


Cheers
Amos