[squid-users] Howto: squid - valid user auth with IP ttl (resolved IE problem)

SQUID-Cache
Auth with Valid System USER with IP TTL
Written by Myung-Oh OH in DGTALX.NET

Date 2004-01-26

Squid Basic auth support SASL, PAM auth
but basic auth have some problem.

I always get request of auth everytime new IE browser or launch multiple
instance.
it's very inconveniences thing. So i'm writing this howto.

This howto supports Valid System User + IP TTL Auths

*NOTE* this program based on Squid 2.5
       I don't secure this howto from security problem, setuid exploits.

Procedures --

1st phase - Launching New IE -> check ip ttl -> ACCESS DENY Page -> PHP
Program -> Check valid user (pam) -> ACCESS OK
(when add user's ip)
2nd phase - Launching New IE -> check ip ttl -> ACCESS OK

Step one. Edit Squid configuration file

NOTE : AUTH.DGTALX.NET is just sample Example don't use this setting in your
site,
       you'll need to add a new virtual host to your domain and modify this
config.

acl IPAUTH src "/www/auth.dgtalx.net/ip_auth"
acl AUTHURL dstdomain "auth.dgtalx.net"
http_access allow AUTHURL
http_access allow IPAUTH
http_access deny !IPAUTH
deny_info ERR_CACHE_ACCESS_DENIED IPAUTH
error_directory /usr/local/squid/share/errors/English
forwarded_for on

(allow unauthorated user to view auth.dgtalx.net site, but other site can't)

Step two. Edit ERR_CACHE_ACCESS_DENIED

use vi, pine editor

add below line to anywhere.

<A HREF="http://auth.dgtalx.net/auth.php?URI=%U">Login to cache server</a>

Step Three. Patch SASL AUTH

in your squid source directory

$ cd helpers/basic_auth/SASL
$ vi sasl_auth.c

then find this line

      setvbuf(stdout, NULL, _IOLBF, 0);

patch this line to

      setvbuf(stdout, NULL, _IONBF, 0);

(IOLBF -> IONBF)

this can control to fifo node

Step Four. install SASL auth

in your squid source directory

$ ./configure --enable-basic-auth-helpers="SASL"
$ cd helpers
$ make
$ make install

Step Five. configuration SASL auth

Make squid_sasl_auth.conf file to /usr/lib/SASL

$ echo "pwcheck_method:pam" > /usr/lib/SASL/squid_sasl_auth.conf

copy pam control file to /etc/pam.d

$ cp /your squid source directory/helpers/basic_auth/SASL/squid_sasl_auth
/etc/pam.d

Complete

Step Six. Configure Apache virtual host

this step make a new virtual host for unauthorazation user access.

<VirtualHost dgtalx.net>
 DocumentRoot /www/auth.dgtalx.net
 ServerName auth.dgtalx.net
</VirtualHost>

(i think you will need to add cgi control tag here)

Step Seven. Make php file

input below content to your phpfile

=============== CUT LINE ==================

<?

function authenticate() {
        Header( "WWW-authenticate: basic realm=\"X-Network Cache Server\"
");
        Header( "HTTP/1.0 401 Unauthorized");
        $title= "Don't Try it - Invalid Login";
?>

Only for valid system user
<?
  exit;
}

if(!isset( $_SERVER['PHP_AUTH_USER'] ) ) {
        authenticate();
} else {
$php_auth_us = $_SERVER['PHP_AUTH_USER'];
$php_auth_pw = $_SERVER['PHP_AUTH_PW'];

$passvar = popen("/www/auth.dgtalx.net/sasl_auths > sasl_get", 'w');
 if (!$passvar) {
   echo "login failed";
   exit;
  }
fputs($passvar, "$php_auth_us $php_auth_pw\n");
$fo = fopen("sasl_get", "r");
if ( !$fo ) echo "login failed";
$readvar = fread($fo, 100);
fclose($fo);
pclose($passvar);
if ( $readvar == "OK" ) {
$host = getenv("HTTP_X_FORWARDED_FOR");
 echo "IP - $host Access Granted";
 $iplog = "$host\n";
 $fp=fopen("ip_auth", 'a+r');
 $iplist=fread($fp, filesize("ip_auth"));
 if ( eregi($host, $iplist) ) { echo "<BR>your ip already logged"; }
 else {
  fwrite($fp, $iplog, strlen($iplog));
  fclose($fp);
  sleep(1);
  system("./squid -k reconfigure");
 header("Location: $uri");
 }
}
else echo "login failed";
}
?>

===========================================

Step Eight. Make fifo node

$ cd /www/auth.dgtalx.net
$ mkfifo sasl_get
$ chmod 660 sasl_get
$ chown nobody.nobody sasl_get
        (this effective user and group must follows apache setting)

Step Nine. Copy binary files

$ cp /usr/local/squid/sbin/squid /www/auth.dgtalx.net/
$ cp /usr/local/squid/libexec/sasl_auth /www/auth.dgtalx.net/
$ cd /www/auth.dgtalx.net
$ chown root.nobody sasl_auth
$ chown nobody.nobody squid
$ chmod 4750 sasl_auth
$ chmod 4750 squid

Step Ten. Starting Squid

you must start squid daemon to user nobody (or your apache effective user)

$ sudo -u nobody /usr/local/sbin/squid

Step Eleven. Add to crontab

6 is ip TTL, this code will clear ip list csv data. (ip_auth)

$ crontab -e -u nobody

input this line
0 6 * * * echo "127.0.0.1" > /www/auth.dgtalx.net/ip_auth ;
/usr/local/squid/sbin/squid -k reconfigure

Complete. good luck to you

(I'm writing this howto to multi-language English, Korean, Japanese)
http://www.dgtalx.net -> Linux HowTo check the other language
Received on Sat Jan 31 2004 - 22:14:37 MST