[squid-users] Authorization in a different way

Christian Kunkel ckunkel at fischie.com
Wed Jan 13 17:50:16 UTC 2016


hey amos,

maybe my english is too bad or maybe i am just not getting it. i can not use any kind of ip as authentication or authorization. first of all because of nat and second would be that the ip of a user changes regarding his location (mobile network).

my understanding of ext_session_acl is or was that it uses an ip to create the session?! so if ip changes the session is dropped (can happen every 5min or when i am lucky the ip does not change for a couple of hours).

> Am 13.01.2016 um 17:53 schrieb Amos Jeffries <squid3 at treenet.co.nz>:
> 
>> On 14/01/2016 5:35 a.m., Christian Kunkel wrote:
>> Hey guys,
>> 
>> i need a way to autheticate or authorize users to my squid server so
>> i can create some kind of a session and drop users after x hours they
>> have been using my proxy. important thing would be to create only one
>> session per user. i do not have access to users network. they are
>> connecting from the internet and they also have nated ips. i thought
>> about the classic way with http headers but i run into problems with
>> some devices. so thats useless for me. to use the ip adress is also
>> not possible because it would authorize a lot of ppl at once if they
>> are behind a nat. thats not what i want. i only can add a proxy
>> adress and a port to the devices which are connecting. right now i am
>> using a unique port for every user. then redirect the port to a
>> splash screen with a login form. when login is is successfull it
>> triggers an iptables-script which redirects that port to squid. but
>> that means every one can actually use that port after someone
>> successfully logged in.
> 
> Then your iptables script is redirecting wrong. It should only add rules
> to redirect a specific src-IP / dst-port pair.
> 
>> 
>> i am using squid 3.5.13 on debian 8.
>> 
>> some hints would be awesome. thanks in advance guys :)
> 
> Use the ext_session_acl helper or ext_session_sql_acl helper with "user"
> login as the session key / helper format.
> 
> If you were using HTTP authentication the key would be %LOGIN. Since you
> are not it will be whatever you are using to identify the "user" within
> Squid.
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list