Re: [squid-users] Re: Dual auth based on IP source

From: David Rodríguez Fernández <davidrf_at_gmail.com>
Date: Tue, 27 Jan 2009 18:13:21 +0100

This don't work for me. I have a dynamic list of users in active
directory, with dynamic access to Internet. I must query an external
database for know if an user have access to Internet.

But thanks Chris, your help don't help me.

I have resolved my problem, so this is my solution for somebody who need it.
--------------------
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp DOMAIN.LOCAL\\10.0.0.1
DOMAIN.LOCAL\\10.0.0.2 DOMAIN.LOCAL\\10.0.0.3 DOMAIN.LOCAL\\10.0.0.4
auth_param ntlm children 40
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp DOMAIN.LOCAL\\10.0.0.1
DOMAIN.LOCAL\\10.0.0.2 DOMAIN.LOCAL\\10.0.0.3 DOMAIN.LOCAL\\10.0.0.4
auth_param basic children 10
auth_param basic realm Internet authorization
auth_param basic credentialsttl 1800 seconds

acl auth_users proxy_auth REQUIRED

external_acl_type checkip children=5 ttl=1800 %LOGIN %SRC
/etc/squid/squid_checkip
acl accesssource external checkip
http_access allow localnet accesssource
--------------------

I configured squid to work with ntlm auth, and I based the
authorization in an perl script who check the login against an oracle
database based on Login an source IP. If my user access from an lan
IP, normal check is done, but if my user access from an mobile IP he
need additional permission to navigate outside my company.

On Thu, Jan 8, 2009 at 10:26 PM, Chris Robertson <crobertson_at_gci.net> wrote:
>
> David Rodríguez Fernández wrote:
>>
>> Hi,
>>
>> I have my own auth_param basic program script to authenticate my squid
>> users. My perl script is working fine. I do an autentication based on
>> login/password and a query to an oracle database.
>>
>> I have a squid server for all mi organization. All the users are
>> browsing the web through this server. The users need an username and
>> password to access Internet and a valid record on the oracle database.
>> I have a vpn users who connect with the organization net over gprs/3g
>> mobiles and laptops. All of these users have access to squid, but I
>> don't want that all mobile users to browse the Internet over a mobile
>> connection, only the VIPs ones (we pay for total bytes transferred).
>> The vpn don't know nothing about limit user access based on login
>> username, so I need to limit this on squid config. All the mobile
>> connection comes to squid from a separate IP network, so I can decide
>> if a user have access to squid based in IP source/login/password.
>>
>> There's some configuration that I can have 2 separate auth_param basic
>> program scripts based on source IP?
>>
>> I can change the behavior of data entry?
>> from:
>> login password
>> to:
>> IP login password
>>
>> There's another more simple solution?
>>
>
> acl norm_auth proxy_auth REQUIRED
> acl moble_auth proxy_auth bob jane me
> acl moble src 10.10.10.5/32
> acl mynet src 10.10.10.0/24
>
> # Deny access to traffic sourced from 10.10.5 unless it's bob, jane or me
> http_access deny !moble_auth moble
> ...other http_access rules go here...
> http_access deny all
>
> Chris
>
Received on Tue Jan 27 2009 - 17:13:30 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 27 2009 - 12:00:03 MST