PDA

Click to See Complete Forum and Search --> : Squid: Bind Username to IP Address

hauwkim
05-04-2007, 08:16 AM
I have a Squid box running centos4
Internal IP address 10.0.0.0/24

Is it possible to bind Squid users (authenticated using ncsa) to the IP address.
I did some googling and tried the following

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY


auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

external_acl_type ip_user %SRC %LOGIN /usr/lib/squid/ip_user_check -f /etc/squid/ip.conf <---added this line

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl localnet src 10.0.0.0/24
acl clientips src 10.0.0.0/24
acl ncsa_users proxy_auth REQUIRED
acl ip_users external ip_users %SRC %LOGIN <---added this line

acl CONNECT method CONNECT

http_access allow ip_users <----added this
http_access allow ncsa_users localnet
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

http_reply_access allow all
icp_access allow all
coredump_dir /var/spool/squid



and i created /etc/squid/ip.conf
10.0.0.30 human

added the username and password through htpasswd

and it manage to kill my squid :eek:

FATAL: Bungled squid.conf line 38: acl ip_users external ip_users %SRC %LOGIN
Squid Cache (Version 2.5.STABLE6): Terminated abnormally.


:confused:

any ideas ... thanks in advance
MastaShake57
05-04-2007, 11:18 AM
external_acl_type ip_user %SRC %LOGIN /usr/lib/squid/ip_user_check -f /etc/squid/ip.conf
acl ip_users external ip_users %SRC %LOGIN

Did you notice that one is singular and the other is plural?
hauwkim
05-05-2007, 06:08 AM
i see @@
no wonder it killed my squid LOL

thanks for the tip (i think i am over worked :P)

yes "mastar" .... ;P
hauwkim
05-05-2007, 08:01 AM
funny ... still unable to start squid

ok correct me if i am wrong
the tag name external_acl_type can be used to tag a squid user to its ip address(source ip address) right

by adding external_acl_type ip_user %SRC %LOGIN /usr/lib/squid/ip_user_check -f /etc/squid/ip.conf
will force squid to check the file ip.conf file for the user and its ip address

acl ip_users external ip_user %SRC %LOGIN
will define the extra acl to check after squid authenticate the user using ncsa_auth (i remember reading the sequence of the acl statements matters somewhere)

whereas the
http_access allow ip_user
will allow only the users define in ip_user to access the internet

so now i am really puzzled
what else could go wrong???
hauwkim
05-16-2007, 09:11 AM
i changed
http_access allow ip_user

to

http_access allow ip_users

so stupid of me
meaning i declared ip_users but i alow ip_user :o

that did it thanks for all the help :cool:

especially MastaShake57 (your were right :D )
stefas
05-17-2007, 08:03 AM
Thank You guys this was just what I was looking for... ???

Just one question ?

This rule affects the usernames you have in the ip.conf file ONLY isn't it ???

Sorry for the question I don't whanna try this on a live server with 300 users on it !!!

Thank You
hauwkim
05-17-2007, 03:59 PM
lets say if you have the following statements in your squid.conf (without the numbers)

1. http_access allow ncsa_users
2. http_access allow ip_users

1 before 2 will mean all ncsa_users in squid_passwd will be allowed to acces the internet. the 2nd line '2', will make sure certain users stated in ip.conf are bind to a particular ip in the same file. therefore 1 before 2 will only impact the usernames you have in ip.conf

if 2 before 1, it will first match the corresponding ip in ip.conf to its respective user before allowing the remaining users authenticated by ncsa_auth access to the internet. in this case i will still impact the usernames you have in ip.conf

what am i talking about:confused:
anyway everybody will still be able to access the internet happily
only certain usernames are bind to certain ip address


i hope this helps and it does not confuse even you further

stefas:welcome to just linux. if you would explain why you need such a configuration mayb i might b able to help. i admit i m no expert but i m willing to try :D
stefas
05-29-2007, 05:48 AM
Thank You.

It just worked fine for a week and then for an unknown reason it stopped working... Still looking for it... Any one knows where could I see error reports for this ???
hauwkim
06-02-2007, 02:27 AM
detailed log will be at
/var/log/squid/"a lot here"
/var/log/messages

hope it helps