[squid-users] Howto: squid - valid user auth with IP ttl (resolved IE problem)
This is a discussion on [squid-users] Howto: squid - valid user auth with IP ttl (resolved IE problem) within the Squid Users forums, part of the Web Server and Related Forums category; SQUID-Cache=20 Auth with Valid System USER with IP TTL Written by Myung-Oh OH in DGTALX.NET Date ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-01-2004
|
|||
|
|||
[squid-users] Howto: squid - valid user auth with IP ttl (resolved IE problem)
SQUID-Cache=20
Auth with Valid System USER with IP TTL Written by Myung-Oh OH in DGTALX.NET Date 2004-01-26 Squid Basic auth support SASL, PAM auth but basic auth have some problem. I always get request of auth everytime new IE browser or launch multiple instance. it's very inconveniences thing. So i'm writing this howto. This howto supports Valid System User + IP TTL Auths *NOTE* this program based on Squid 2.5 I don't secure this howto from security problem, setuid exploits. Procedures -- 1st phase - Launching New IE -> check ip ttl -> ACCESS DENY Page -> PHP Program -> Check valid user (pam) -> ACCESS OK (when add user's ip) 2nd phase - Launching New IE -> check ip ttl -> ACCESS OK Step one. Edit Squid configuration file NOTE : AUTH.DGTALX.NET is just sample Example don't use this setting in = your site, you'll need to add a new virtual host to your domain and modify = this config. acl IPAUTH src "/www/auth.dgtalx.net/ip_auth" acl AUTHURL dstdomain "auth.dgtalx.net" http_access allow AUTHURL http_access allow IPAUTH http_access deny !IPAUTH deny_info ERR_CACHE_ACCESS_DENIED IPAUTH error_directory /usr/local/squid/share/errors/English forwarded_for on (allow unauthorated user to view auth.dgtalx.net site, but other site = can't) Step two. Edit ERR_CACHE_ACCESS_DENIED use vi, pine editor add below line to anywhere. <A HREF=3D"http://auth.dgtalx.net/auth.php?URI=3D%U">Login to cache = server</a> Step Three. Patch SASL AUTH in your squid source directory $ cd helpers/basic_auth/SASL $ vi sasl_auth.c then find this line setvbuf(stdout, NULL, _IOLBF, 0); patch this line to setvbuf(stdout, NULL, _IONBF, 0); (IOLBF -> IONBF) this can control to fifo node Step Four. install SASL auth in your squid source directory $ ./configure --enable-basic-auth-helpers=3D"SASL" $ cd helpers $ make $ make install Step Five. configuration SASL auth Make squid_sasl_auth.conf file to /usr/lib/SASL $ echo "pwcheck_method:pam" > /usr/lib/SASL/squid_sasl_auth.conf copy pam control file to /etc/pam.d $ cp /your squid source = directory/helpers/basic_auth/SASL/squid_sasl_auth /etc/pam.d Complete Step Six. Configure Apache virtual host this step make a new virtual host for unauthorazation user access. <VirtualHost dgtalx.net> DocumentRoot /www/auth.dgtalx.net ServerName auth.dgtalx.net </VirtualHost> (i think you will need to add cgi control tag here) Step Seven. Make php file input below content to your phpfile =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D CUT LINE = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D <? function authenticate() { Header( "WWW-authenticate: basic realm=3D\"X-Network Cache = Server\" "); Header( "HTTP/1.0 401 Unauthorized"); $title=3D "Don't Try it - Invalid Login"; ?> Only for valid system user <? exit; }=20 if(!isset( $_SERVER['PHP_AUTH_USER'] ) ) { authenticate(); } else { $php_auth_us =3D $_SERVER['PHP_AUTH_USER']; $php_auth_pw =3D $_SERVER['PHP_AUTH_PW']; $passvar =3D popen("/www/auth.dgtalx.net/sasl_auths > sasl_get", 'w'); if (!$passvar) { echo "login failed"; exit; } fputs($passvar, "$php_auth_us $php_auth_pw\n"); $fo =3D fopen("sasl_get", "r"); if ( !$fo ) echo "login failed"; $readvar =3D fread($fo, 100); fclose($fo); pclose($passvar); if ( $readvar =3D=3D "OK" ) { $host =3D getenv("HTTP_X_FORWARDED_FOR"); echo "IP - $host Access Granted"; $iplog =3D "$host\n"; $fp=3Dfopen("ip_auth", 'a+r'); $iplist=3Dfread($fp, filesize("ip_auth")); if ( eregi($host, $iplist) ) { echo "<BR>your ip already logged"; } else { fwrite($fp, $iplog, strlen($iplog)); fclose($fp); sleep(1); system("./squid -k reconfigure"); header("Location: $uri"); } } else echo "login failed"; } ?> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D Step Eight. Make fifo node $ cd /www/auth.dgtalx.net $ mkfifo sasl_get $ chmod 660 sasl_get $ chown nobody.nobody sasl_get (this effective user and group must follows apache setting) Step Nine. Copy binary files $ cp /usr/local/squid/sbin/squid /www/auth.dgtalx.net/ $ cp /usr/local/squid/libexec/sasl_auth /www/auth.dgtalx.net/ $ cd /www/auth.dgtalx.net $ chown root.nobody sasl_auth $ chown nobody.nobody squid $ chmod 4750 sasl_auth $ chmod 4750 squid Step Ten. Starting Squid you must start squid daemon to user nobody (or your apache effective = user) $ sudo -u nobody /usr/local/sbin/squid Step Eleven. Add to crontab 6 is ip TTL, this code will clear ip list csv data. (ip_auth) $ crontab -e -u nobody input this line 0 6 * * * echo "127.0.0.1" > /www/auth.dgtalx.net/ip_auth ; /usr/local/squid/sbin/squid -k reconfigure Complete. good luck to you (I'm writing this howto to multi-language English, Korean, Japanese) http://www.dgtalx.net -> Linux HowTo check the other language 
|
Linear Mode
