Groups and authorizaction SQUID

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Groups and authorizaction SQUID

Edwin Quijada

Hi!
I am a newbie using SQUID and I have a question :

I have 4 different groups in my company each group has access different but I dont know how create an ACL to give access for each group.


These groups and users are in a remote server that I use with a webservice so with I have created a helper for authorization the problem is how can i do this ACL


Thks In advance



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Groups and authorizaction SQUID

Antony Stone
On Friday 08 December 2017 at 22:08:33, Edwin Quijada wrote:

> Hi!
> I am a newbie using SQUID and I have a question :
>
> I have 4 different groups in my company each group has access different

Please explain what "access different" means.

> but I dont know how create an ACL to give access for each group.
>
>
> These groups and users are in a remote server

What sort of server?  How are the groups defined?

> that I use with a webservice

What does "webservice" mean?

> so with I have created a helper for authorization

Tell us how this helper works.

How does it identify one group fron another?

> the problem is how can i do this ACL

No idea, until you give us more information about how your user groupss are
differentiated from one another, and what information Squid might have
available to it to be able to treat them differently.


Antony.

--
APL [is a language], in which you can write a program to simulate shuffling a
deck of cards and then dealing them out to several players, in four
characters, none of which appear on a standard keyboard.

 - David Given

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Groups and authorizaction SQUID

Edwin Quijada


 
On Friday 08 December 2017 at 22:08:33, Edwin Quijada wrote:

> Hi!
> I am a newbie using SQUID and I have a question :
>
> I have 4 different groups in my company each group has access different

Please explain what "access different" means.

The first group has accees to 2 pages, second 3 differents pages and  3 and 4 everything

> but I dont know how create an ACL to give access for each group.
>
>
> These groups and users are in a remote server

What sort of server?  How are the groups defined?

It is a web server

> that I use with a webservice

What does "webservice" mean?
 Remote method/function that respond me when I sent  user/pass this respond me with the group that user belongs
I have another method/function/script by http that respond me what is the group that user belongs

> so with I have created a helper for authorization

Tell us how this helper works.

I thought that using a helper for autorization I can restricted the pages used for each member group

How does it identify one group fron another?

Uhm...the structere are differents , really there are in different tables in my DB that is in the server

> the problem is how can i do this ACL

No idea, until you give us more information about how your user groupss are
differentiated from one another, and what information Squid might have
available to it to be able to treat them differently.

Thks, sorry my bad english.
I hope the info can You answer your question


Antony.

--
APL [is a language], in which you can write a program to simulate shuffling a
deck of cards and then dealing them out to several players, in four
characters, none of which appear on a standard keyboard.

 - David Given

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Groups and authorization SQUID

Antony Stone
On Saturday 09 December 2017 at 15:35:51, Edwin Quijada wrote:

> > On Friday 08 December 2017 at 22:08:33, Edwin Quijada wrote:
> >
> > > I have 4 different groups in my company each group has access different
> >
> > Please explain what "access different" means.
>
> The first group has accees to 2 pages, second 3 differents pages and  3 and
> 4 everything

Okay, understood.

> > > These groups and users are in a remote server
> >
> > What sort of server?  How are the groups defined?
>
> It is a web server

Er, okay...

> > > that I use with a webservice
>
> > What does "webservice" mean?
>
> Remote method/function that respond me when I sent  user/pass this respond
> me with the group that user belongs I have another method/function/script
> by http that respond me what is the group that user belongs

Okay, I guess it might be possible to get Squid to use ACLs based on the
result of an HTTP request, but I've never seen it done like this before.

Maybe someone else on the list can suggest how this might be made to work.

> > > so with I have created a helper for authorization
> >
> > Tell us how this helper works.
>
> I thought that using a helper for autorization I can restricted the pages
> used for each member group

Have you created a helper, or not?

If you have created one, please tell us how it works.

> > How does it identify one group from another?
>
> Uhm...the structere are differents , really there are in different tables
> in my DB that is in the server

So, you're doing an HTTP request to a web server, which then looks up the user
in a database, and returns a result as an HTTP response...

Surely it would be easier (and quicker / more efficient) to get Squid to
interrogate the database?

> > > the problem is how can i do this ACL

I wouldn't start from there, so I hope someone else here can suggest a way of
getting this to work.


What made you start with this approach in the first place?


Antony.

--
Atheism is a non-prophet-making organisation.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Groups and authorization SQUID

Edwin Quijada





From: squid-users <[hidden email]> on behalf of Antony Stone <[hidden email]>
Sent: Saturday, December 9, 2017 3:57 PM
To: [hidden email]
Subject: Re: [squid-users] Groups and authorization SQUID
 
On Saturday 09 December 2017 at 15:35:51, Edwin Quijada wrote:

> > On Friday 08 December 2017 at 22:08:33, Edwin Quijada wrote:
> >
> > > I have 4 different groups in my company each group has access different
> >
> > Please explain what "access different" means.
>
> The first group has accees to 2 pages, second 3 differents pages and  3 and
> 4 everything

Okay, understood.

> > > These groups and users are in a remote server
> >
> > What sort of server?  How are the groups defined?
>
> It is a web server

Er, okay...

> > > that I use with a webservice
>
> > What does "webservice" mean?
>
> Remote method/function that respond me when I sent  user/pass this respond
> me with the group that user belongs I have another method/function/script
> by http that respond me what is the group that user belongs

Okay, I guess it might be possible to get Squid to use ACLs based on the
result of an HTTP request, but I've never seen it done like this before.

This part is not a problem for me.

Maybe someone else on the list can suggest how this might be made to work.

> > > so with I have created a helper for authorization
> >
> > Tell us how this helper works.
>
> I thought that using a helper for autorization I can restricted the pages
> used for each member group

Have you created a helper, or not?
Yes!!

If you have created one, please tell us how it works.

This helper that I created
<?php

$f = fopen("php://stdin", "r");
while (!(feof($f))) {
    $line = fgets($f);
    if ($line) {
        $fields = explode(' ', trim($line));
        $username = rawurldecode($fields[0]);
        $password = rawurldecode($fields[1]);
//
        if ($username=="edwin" &&  $password=="1234")
              fwrite(STDOUT, "OK\n");
        else
             fwrite(STDOUT, "ERR\n");
    }
}
?>
This helper is just for testing , but when I tested it doent work

> > How does it identify one group from another?
>
> Uhm...the structere are differents , really there are in different tables
> in my DB that is in the server

So, you're doing an HTTP request to a web server, which then looks up the user
in a database, and returns a result as an HTTP response...

Surely it would be easier (and quicker / more efficient) to get Squid to
interrogate the database?

> > > the problem is how can i do this ACL

I wouldn't start from there, so I hope someone else here can suggest a way of
getting this to work.


What made you start with this approach in the first place?

Now, I changed the approach , I just want one group for everything and other, localnet restricted,instead of use 4 groups just 2 one for admin, other for


Antony.

--
Atheism is a non-prophet-making organisation.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Groups and authorization SQUID

Amos Jeffries
Administrator
On 12/12/17 09:48, Edwin Quijada wrote:

>
> ------------------------------------------------------------------------
> *From:* Antony Stone
> On Saturday 09 December 2017 at 15:35:51, Edwin Quijada wrote:
>
>> > On Friday 08 December 2017 at 22:08:33, Edwin Quijada wrote:
>> >
>> > > I have 4 different groups in my company each group has access different
>> >
>> > Please explain what "access different" means.
>>
>> The first group has accees to 2 pages, second 3 differents pages and  3 and
>> 4 everything
>
> Okay, understood.
>

FYI: please be aware that HTTP has no concept of "page". That is a human
UI concept. Squid and HTTP deal only with messages about URLs. A "page"
as we know it can be many different transactions and URL messages.

We can get into that more later when you have auth working, just be
aware for now that there is no natural connection between auth
credentials and "page".


>> > > These groups and users are in a remote server
>> >
>> > What sort of server?  How are the groups defined?
>>
>> It is a web server
>
> Er, okay...
>
>> > > that I use with a webservice
>>
>> > What does "webservice" mean?
>>
>> Remote method/function that respond me when I sent  user/pass this respond
>> me with the group that user belongs I have another method/function/script
>> by http that respond me what is the group that user belongs
>
> Okay, I guess it might be possible to get Squid to use ACLs based on the
> result of an HTTP request, but I've never seen it done like this before.
>
> This part is not a problem for me.
>
> Maybe someone else on the list can suggest how this might be made to work.
>
>> > > so with I have created a helper for authorization
>> >
>> > Tell us how this helper works.
>>
>> I thought that using a helper for autorization I can restricted the pages
>> used for each member group
>
> Have you created a helper, or not?
> Yes!!
>
> If you have created one, please tell us how it works.
>
> This helper that I created
> <?php
>
> $f = fopen("php://stdin", "r");
> while (!(feof($f))) {
>      $line = fgets($f);
>      if ($line) {
>          $fields = explode(' ', trim($line));
>          $username = rawurldecode($fields[0]);
>          $password = rawurldecode($fields[1]);
> //
>          if ($username=="edwin" &&  $password=="1234")
>                fwrite(STDOUT, "OK\n");
>          else
>               fwrite(STDOUT, "ERR\n");
>      }
> }
> ?>
> This helper is just for testing , but when I tested it doent work
>

What are your squid.conf settings using that helper?


FYI: PHP has known problems that prevent it being a successful helper
language most of the time
<https://wiki.squid-cache.org/Features/AddonHelpers#What_language_are_helper_meant_to_be_written_in.3F>

Squid bundles with *_fake_auth helpers you can base your code on when
developing a custom helper. They handle the I/O with Squid properly for
their matching Squid version and should be easily extended for doing
actual auth checks.


>> > How does it identify one group from another?
>>
>> Uhm...the structere are differents , really there are in different tables
>> in my DB that is in the server
>
> So, you're doing an HTTP request to a web server, which then looks up
> the user
> in a database, and returns a result as an HTTP response...
>
> Surely it would be easier (and quicker / more efficient) to get Squid to
> interrogate the database?
>
>> > > the problem is how can i do this ACL
>
> I wouldn't start from there, so I hope someone else here can suggest a
> way of
> getting this to work.
>
>
> What made you start with this approach in the first place?
>
> Now, I changed the approach , I just want one group for everything and
> other, localnet restricted,instead of use 4 groups just 2 one for admin,
> other for
>

The weird thing is this use of a web server as an intermediary between
Squid and the actual user/group database. What made you use it in the
first place instead of connecting Squid to the database?

[ I am one of the people who can help you get it to work, but it is only
with the trouble doing at all if there is a good reason. Auth is a
complex enough topic already just by itself. ]

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Groups and authorization SQUID

Edwin Quijada





From: squid-users <[hidden email]> on behalf of Amos Jeffries <[hidden email]>
Sent: Tuesday, December 12, 2017 1:03 AM
To: [hidden email]
Subject: Re: [squid-users] Groups and authorization SQUID
 
On 12/12/17 09:48, Edwin Quijada wrote:
>
> ------------------------------------------------------------------------
> *From:* Antony Stone
> On Saturday 09 December 2017 at 15:35:51, Edwin Quijada wrote:
>
>> > On Friday 08 December 2017 at 22:08:33, Edwin Quijada wrote:
>> >
>> > > I have 4 different groups in my company each group has access different
>> >
>> > Please explain what "access different" means.
>>
>> The first group has accees to 2 pages, second 3 differents pages and  3 and
>> 4 everything
>
> Okay, understood.
>

FYI: please be aware that HTTP has no concept of "page". That is a human
UI concept. Squid and HTTP deal only with messages about URLs. A "page"
as we know it can be many different transactions and URL messages.

We can get into that more later when you have auth working, just be
aware for now that there is no natural connection between auth
credentials and "page".

OK, I understood. My problem then is when Squid shows the authorization screen I put the credentials but doenst work ,
This is a simple helper but doesnt work, it continues ask me for user/pass


> This helper that I created
> <?php
>
> $f = fopen("php://stdin", "r");
> while (!(feof($f))) {
>      $line = fgets($f);
>      if ($line) {
>          $fields = explode(' ', trim($line));
>          $username = rawurldecode($fields[0]);
>          $password = rawurldecode($fields[1]);
> //
>          if ($username=="edwin" &&  $password=="1234")
>                fwrite(STDOUT, "OK\n");
>          else
>               fwrite(STDOUT, "ERR\n");
>      }
> }
> ?>
> This helper is just for testing , but when I tested it doent work
>

What are your squid.conf settings using that helper?

#acl manager proto cache_object
http_port 3128
cache_dir ufs /var/spool/squid3 2048 16 256
maximum_object_size 100 MB
cache_swap_low 90
cache_swap_high 95

#--------------- Reglas de Autorizacion -------------
auth_param basic program  /usr/bin/php /root/squid_helper2.php
auth_param basic children 20
auth_param basic realm Proxy Quijada Usuario Y Clave
auth_param basic credentialsttl 5 hours
#----------------------------------------------------
#------------- ACL de accesos para los usuarios------
#----------------------------------------------------
#
#
acl AuthenticatedUsers proxy_auth REQUIRED
http_access allow AuthenticatedUsers
#-------------------- ACL Puertos --------------------
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

#---------------------- HTTP ACCES DEFAULT-------------
#http_access allow manager localhost
#http_access deny manager
#http_access deny !Safe_ports

#http_access deny to_localhost
#icp_access deny all
#htcp_access deny all

#---------------------- HTTP_ACCESS DE USUARIOS---------


#======================================================================

#Suggested default:
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .               0       20%     4320




FYI: PHP has known problems that prevent it being a successful helper
language most of the time
<https://wiki.squid-cache.org/Features/AddonHelpers#What_language_are_helper_meant_to_be_written_in.3F>


Squid bundles with *_fake_auth helpers you can base your code on when
developing a custom helper. They handle the I/O with Squid properly for
their matching Squid version and should be easily extended for doing
actual auth checks.


>> > How does it identify one group from another?
>>
>> Uhm...the structere are differents , really there are in different tables
>> in my DB that is in the server
>
> So, you're doing an HTTP request to a web server, which then looks up
> the user
> in a database, and returns a result as an HTTP response...
>
> Surely it would be easier (and quicker / more efficient) to get Squid to
> interrogate the database?
>
>> > > the problem is how can i do this ACL
>
> I wouldn't start from there, so I hope someone else here can suggest a
> way of
> getting this to work.
>
>
> What made you start with this approach in the first place?
>
> Now, I changed the approach , I just want one group for everything and
> other, localnet restricted,instead of use 4 groups just 2 one for admin,
> other for
>

The weird thing is this use of a web server as an intermediary between
Squid and the actual user/group database. What made you use it in the
first place instead of connecting Squid to the database?

It just why the database is in another server and this DB doesnt have external access . IN this server just has an API responding request so I wanna use this for authorization. I cant connect directly to DB

[ I am one of the people who can help you get it to work, but it is only
with the trouble doing at all if there is a good reason. Auth is a
complex enough topic already just by itself. ]

Thks for your help, I will continue trying to authorize with Squid


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Groups and authorization SQUID

Amos Jeffries
Administrator
Why are you just re-posting what I already posted, but with your name on
it as author?

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Groups and authorization SQUID

Edwin Quijada

I answered the comments that you wrote, I think




From: squid-users <[hidden email]> on behalf of Amos Jeffries <[hidden email]>
Sent: Wednesday, December 13, 2017 2:55 AM
To: [hidden email]
Subject: Re: [squid-users] Groups and authorization SQUID
 
Why are you just re-posting what I already posted, but with your name on
it as author?

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users