[squid-users] Howto: squid - valid user auth with IP ttl (resolved IE problem) - squid
This is a discussion on [squid-users] Howto: squid - valid user auth with IP ttl (resolved IE problem) - squid ; SQUID-Cache=20 Auth with Valid System USER with IP TTL Written by Myung-Oh OH in DGTALX.NET Date 2004-01-26 Squid Basic auth support SASL, PAM auth but basic auth have some problem. I always get request of auth everytime new IE browser ...
 |
| | LinkBack | Tools |
|
#1
10-08-2007, 06:21 AM
| |||
| |||
 [squid-users] Howto: squid - valid user auth with IP ttl (resolved IE problem) Auth with Valid System USER with IP TTL Written by Myung-Oh OH in DGTALX.NET Date 2004-01-26 Squid Basic auth support SASL, PAM auth but basic auth have some problem. I always get request of auth everytime new IE browser or launch multiple instance. it's very inconveniences thing. So i'm writing this howto. This howto supports Valid System User + IP TTL Auths *NOTE* this program based on Squid 2.5 I don't secure this howto from security problem, setuid exploits. Procedures -- 1st phase - Launching New IE -> check ip ttl -> ACCESS DENY Page -> PHP Program -> Check valid user (pam) -> ACCESS OK (when add user's ip) 2nd phase - Launching New IE -> check ip ttl -> ACCESS OK Step one. Edit Squid configuration file NOTE : AUTH.DGTALX.NET is just sample Example don't use this setting in = your site, you'll need to add a new virtual host to your domain and modify = this config. acl IPAUTH src "/www/auth.dgtalx.net/ip_auth" acl AUTHURL dstdomain "auth.dgtalx.net" http_access allow AUTHURL http_access allow IPAUTH http_access deny !IPAUTH deny_info ERR_CACHE_ACCESS_DENIED IPAUTH error_directory /usr/local/squid/share/errors/English forwarded_for on (allow unauthorated user to view auth.dgtalx.net site, but other site = can't) Step two. Edit ERR_CACHE_ACCESS_DENIED use vi, pine editor add below line to anywhere. Login to cache = server Step Three. Patch SASL AUTH in your squid source directory $ cd helpers/basic_auth/SASL $ vi sasl_auth.c then find this line setvbuf(stdout, NULL, _IOLBF, 0); patch this line to setvbuf(stdout, NULL, _IONBF, 0); (IOLBF -> IONBF) this can control to fifo node Step Four. install SASL auth in your squid source directory $ ./configure --enable-basic-auth-helpers=3D"SASL" $ cd helpers $ make $ make install Step Five. configuration SASL auth Make squid_sasl_auth.conf file to /usr/lib/SASL $ echo "pwcheck_method  am" > /usr/lib/SASL/squid_sasl_auth.confcopy pam control file to /etc/pam.d $ cp /your squid source = directory/helpers/basic_auth/SASL/squid_sasl_auth /etc/pam.d Complete Step Six. Configure Apache virtual host this step make a new virtual host for unauthorazation user access. DocumentRoot /www/auth.dgtalx.net ServerName auth.dgtalx.net (i think you will need to add cgi control tag here) Step Seven. Make php file input below content to your phpfile =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D CUT LINE = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D function authenticate() { Header( "WWW-authenticate: basic realm=3D\"X-Network Cache = Server\" "); Header( "HTTP/1.0 401 Unauthorized"); $title=3D "Don't Try it - Invalid Login"; ?> Only for valid system user exit; }=20 if(!isset( $_SERVER['PHP_AUTH_USER'] ) ) { authenticate(); } else { $php_auth_us =3D $_SERVER['PHP_AUTH_USER']; $php_auth_pw =3D $_SERVER['PHP_AUTH_PW']; $passvar =3D popen("/www/auth.dgtalx.net/sasl_auths > sasl_get", 'w'); if (!$passvar) { echo "login failed"; exit; } fputs($passvar, "$php_auth_us $php_auth_pw\n"); $fo =3D fopen("sasl_get", "r"); if ( !$fo ) echo "login failed"; $readvar =3D fread($fo, 100); fclose($fo); pclose($passvar); if ( $readvar =3D=3D "OK" ) { $host =3D getenv("HTTP_X_FORWARDED_FOR"); echo "IP - $host Access Granted"; $iplog =3D "$host\n"; $fp=3Dfopen("ip_auth", 'a+r'); $iplist=3Dfread($fp, filesize("ip_auth")); if ( eregi($host, $iplist) ) { echo " your ip already logged"; } else { fwrite($fp, $iplog, strlen($iplog)); fclose($fp); sleep(1); system("./squid -k reconfigure"); header("Location: $uri"); } } else echo "login failed"; } ?> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D Step Eight. Make fifo node $ cd /www/auth.dgtalx.net $ mkfifo sasl_get $ chmod 660 sasl_get $ chown nobody.nobody sasl_get (this effective user and group must follows apache setting) Step Nine. Copy binary files $ cp /usr/local/squid/sbin/squid /www/auth.dgtalx.net/ $ cp /usr/local/squid/libexec/sasl_auth /www/auth.dgtalx.net/ $ cd /www/auth.dgtalx.net $ chown root.nobody sasl_auth $ chown nobody.nobody squid $ chmod 4750 sasl_auth $ chmod 4750 squid Step Ten. Starting Squid you must start squid daemon to user nobody (or your apache effective = user) $ sudo -u nobody /usr/local/sbin/squid Step Eleven. Add to crontab 6 is ip TTL, this code will clear ip list csv data. (ip_auth) $ crontab -e -u nobody input this line 0 6 * * * echo "127.0.0.1" > /www/auth.dgtalx.net/ip_auth ; /usr/local/squid/sbin/squid -k reconfigure Complete. good luck to you (I'm writing this howto to multi-language English, Korean, Japanese) http://www.dgtalx.net -> Linux HowTo check the other language  |
|
« Previous Thread
|
Next Thread »
| Tools | |
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| [squid-users] Squid stops responding, OpenBSD *PROBLEM RESOLVED* | unix | squid | 0 | 10-08-2007 07:34 AM |
| [squid-users] Squid 2.5 with NTLM Auth (Samba3) Locking out Accounts in Active Directory | unix | squid | 0 | 10-08-2007 07:23 AM |
| [squid-users] Squid binary for Windows with auth in accelerated mode? | unix | squid | 0 | 10-08-2007 07:20 AM |
| Re: [squid-users] Howto: squid - valid user auth with IP ttl (resolved | unix | squid | 0 | 10-08-2007 06:22 AM |
| [squid-users] Howto: squid - valid user auth with IP ttl (resolved IE problem) | unix | squid | 0 | 10-08-2007 06:21 AM |
All times are GMT. The time now is 09:47 AM.