Squid CAS integration

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid CAS integration

dario
My institution has been asked to integrate Squid and CAS. We want to integrate Squid and CAS in its simplest way, that is:
1) redirect the navigation to the CAS site,
2) let the user input login/password,
3) then, after successfull login, check with PHP all nnecessary permissions,
4) proceed with Squid Proxy.

I can't understand how to code Squid configuration and PHP helpers.

But I cannot understand how to make it work. Can you please show me a link to simple example? Or tell me where are samples sources with PHP helpers and SQUID configuration in order ro have the full example working?

Dario Basset

Dario Basset    [hidden email]
Direzione Servizio bibliotecario d’Ateneo


MailScanner Signature Unimi
Il tuo 5 x mille progetti
Sostieni la ricerca, investi sul futuro dei giovani

Universita` degli Studi di Milano - codice fiscale 80012650158


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid CAS integration

Amos Jeffries
Administrator
On 6/09/19 7:50 pm, Dario Basset wrote:
> My institution has been asked to integrate Squid and CAS. We want to
> integrate Squid and CAS in its simplest way, that is:

Details about this CAS ?
 Does it have a specific name?
  "CAS" is like saying "proxy" - it is a type.

 What type(s) of authentication is it doing?
 What APIs does it provide for checking credentials validity?
 What APIs does it provide for initial user login?

Note that all of those 'What ...' questions are plural. Authenticators
tend to have multiple APIs for each activity.


> 1) redirect the navigation to the CAS site,
> 2) let the user input login/password,
> 3) then, after successfull login, check with PHP all nnecessary
> permissions,

FWIW: my advice is to avoid PHP for Squid helpers. That language has
problems keeping helpers running long-term.
 <https://wiki.squid-cache.org/Features/AddonHelpers#What_language_are_helper_meant_to_be_written_in.3F>



> 4) proceed with Squid Proxy.
>
> I can't understand how to code Squid configuration and PHP helpers.
> I have seen here
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Need-help-for-ACL-Authentication-web-Form-Cookies-td4555576.html
>
> But I cannot understand how to make it work. Can you please show me a
> link to simple example?

All the helpers called "fake" are examples of how to write helpers for
their Squid helper interface. Which is essentially the same these days
with a (somewhat) unified protocol they all speak.


> Or tell me where are samples sources with PHP
> helpers and SQUID configuration in order ro have the full example working?
>

Not without the details asked for above. The conversation you found
David and I are mentioning BerkleyDB and SQL helpers. Those are the
"CAS" we use. The squid.conf part is essentially what you see in that
thread.

You will need a helper to access whatever the CAS database is (via any
API it provides for that access).


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid CAS integration

dario
Thanks.

->  With CAS I mean the Central Authentication Service, which is supported
https://www.apereo.org/projects/cas     It is a system for Single Sign On
authentication with Service Ticket, and it is quite used in Universities. We
want to integrate Squid with CAS auth.
The authentication provided by CAS is based on a mechanism which redirect
user navigation to CAS University site, and proceed only when credentials
are valid. In this way the site that picks the credentials is not an
application site, but it is University CAS itself. The application that uses
University CAS is simply redirecting user navigation, that it takes the
control.

->  Ok for PHP

->  For what concerns Squid helpers, I saw some examples, but most of those
examples are based never-ending loops that wait for standard input and then
proceed with authentication. In this loop, the credentials are picked by
Squid web server. We do not want this. We want credentials to be inputted in
our CAS portal system. But I don't know how to code configuration file for
Squid and related helpers.


Il 06/09/19 11:16, Amos Jeffries <[hidden email]> ha scritto:
On 6/09/19 7:50 pm, Dario Basset wrote:
> My institution has been asked to integrate Squid and CAS. We want to
> integrate Squid and CAS in its simplest way, that is:

Details about this CAS ?
 Does it have a specific name?
  "CAS" is like saying "proxy" - it is a type.

 What type(s) of authentication is it doing?
 What APIs does it provide for checking credentials validity?
 What APIs does it provide for initial user login?

Note that all of those 'What ...' questions are plural. Authenticators
tend to have multiple APIs for each activity.


> 1) redirect the navigation to the CAS site,
> 2) let the user input login/password,
> 3) then, after successfull login, check with PHP all nnecessary
> permissions,

FWIW: my advice is to avoid PHP for Squid helpers. That language has
problems keeping helpers running long-term.
 <https://wiki.squid-cache.org/Features/AddonHelpers#What_language_are_helper_meant_to_be_written_in.3F>



> 4) proceed with Squid Proxy.
>
> I can't understand how to code Squid configuration and PHP helpers.
> I have seen here
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Need-help-for-ACL-Authentication-web-Form-Cookies-td4555576.html
>
> But I cannot understand how to make it work. Can you please show me a
> link to simple example?

All the helpers called "fake" are examples of how to write helpers for
their Squid helper interface. Which is essentially the same these days
with a (somewhat) unified protocol they all speak.


> Or tell me where are samples sources with PHP
> helpers and SQUID configuration in order ro have the full example working?
>

Not without the details asked for above. The conversation you found
David and I are mentioning BerkleyDB and SQL helpers. Those are the
"CAS" we use. The squid.conf part is essentially what you see in that
thread.

You will need a helper to access whatever the CAS database is (via any
API it provides for that access).


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
--
------------------------------------------------------------
Dario Basset   
[hidden email]
Direzione Servizio bibliotecario d’Ateneo
Via G. Colombo, 46        02-50315296
------------------------------------------------------------


MailScanner Signature Unimi
Il tuo 5 x mille progetti
Sostieni la ricerca, investi sul futuro dei giovani

Universita` degli Studi di Milano - codice fiscale 80012650158


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid CAS integration

Amos Jeffries
Administrator
On 6/09/19 9:36 pm, Dario Basset wrote:

> Thanks.
>
> ->  With CAS I mean the Central Authentication Service, which is supported
> here: https://github.com/apereo/cas  or here:
> https://www.apereo.org/projects/cas     It is a system for Single Sign On
> authentication with Service Ticket, and it is quite used in Universities. We
> want to integrate Squid with CAS auth.
> The authentication provided by CAS is based on a mechanism which redirect
> user navigation to CAS University site, and proceed only when credentials
> are valid. In this way the site that picks the credentials is not an
> application site, but it is University CAS itself. The application that uses
> University CAS is simply redirecting user navigation, that it takes the
> control.
>
> ->  Ok for PHP
>
> ->  For what concerns Squid helpers, I saw some examples, but most of those
> examples are based never-ending loops that wait for standard input and then
> proceed with authentication. In this loop, the credentials are picked by
> Squid web server. We do not want this. We want credentials to be inputted in
> our CAS portal system. But I don't know how to code configuration file for
> Squid and related helpers.

Ah, you are misunderstanding the purpose of the helpers.

In order to handle a clients traffic Squid needs to process the rules
you configured. Sometimes those rules need the answers to questions
Squid cannot answer by itself; eg "are the user credentials valid", or
"should this URL be redirected elsewhere?"

What Squid does then is send a query to the helper which can answer that
question, and the helper responds with OK/ERR (yes or no) and maybe some
parameters Squid can use to continue the processing. To the helper HTTP
traffic is just an infinite series of "Can I do X?" questions from Squid.


Looking at the CAS documentation, they have helpfully provided a message
flow diagram for how web traffic needs to be handled and authenticated
against the CAS server.

see "Web Flow Diagram" at
 <https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html>

Squid and  URL-redirect helper would be doing the actions in the
"Protected App" column, and generating the 302 responses.

[ It occurs to me, that if you ask about the CAS community you may find
someone who already did this integration and has a Squid helper. Even
though CAS has not been mentioned here before. ]


Your squid.conf would look like this:

 # check every URL to see if 302 redirect is needed
 url_rewrite_helper /path/to/your/helper

 # tell the URL helper about any Cookie header
 url_rewrite_extras %#>h{Cookie}

 # do not try to redirect clients visiting the CAS login page
 acl CAS_server dstdomain cas.example.com
 url_rewrite_access deny !CAS_server

 # add a Set-Cookie header supplied by the URL helper (if any)
 acl CAS_cookie note cas-cookie_
 reply_header_add Cookie "%note{cas-cookie_}" CAS_cookie


For every HTTP request Squid handles, it will send your helper one line
ending with a newline (\n) character. That line will contain the URL the
client was trying to visit, followed by the Cookie header(s) straight
from HTTP message with URL / %-encoding.


The helper needs to respond back with a line containing some values
depending on which of the yellow boxes is happening.

* When there is no CAS Cookie in the ones supplied by Squid (or Squid
cannot deliver any), *and* no CAS ticket on the URL then the first / top
yellow box is happening.
 The helper should produce:

  OK status=302 url=https://cas.example.com/cas/login?service=...

where "..." is the %-encoded value of URL Squid said the client was
trying to fetch. Notice how these details correlate to what the CAS
diagram first column is saying.


* When there is no Cookie etc and there _is_ a ticket parameter. The
second yellow box has been reached.
 The helper needs to do the background GET request to verify the ticket
with the CAS server. GET /serviceValidate request to the CAS server and
process the response to find the value needing to go into Set-Cookie header.
 When it has those details it should produce:

  OK status=302 url=... cas-cookie_=BLAH

where "..." is the URL the client was trying to fetch but without the
"ticket=" parameter; and "BLAH" is the string to put in the Cookie header.

NOTE: since Cookie header values contain quotes, whitespace and special
characters the BLAH string should be %-encoded. Squid should decode it
before use.


* When there is a CAS server Cookie and no ticket parameter. The third
(or fourth) yellow box has been reached. The helper should just validate
the cookie.

If the Cookie validates the helper should produce:

  ERR

Despite what the letters may imply this just means not to redirect.

If the Cookie failed to validate. I guess you redirect to the CAS server
login page as per earlier at the first yellow box, maybe? the diagram
does not mention that situation.



PS. If you are interested the full details of helper protocol for URL
redirector is at:
 <https://wiki.squid-cache.org/Features/AddonHelpers#URL_manipulation>

Since the Cookie handling could be quite slow, you might want to use the
concurrency channels feature to allow parallel processing by the helper.
Get the helper working with the basics first though.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users