Hi,
Let me first introduce myself and describe the context of my request.
I work as a developer for a company that extensively uses squid to restrict
and control its HTTP/FTP access to the Internet. They feel the need to add a
new functionality in squid that consists in returning an HTML page to a
user, the first time he tries to connect to the Internet.
Attached to this mail is a patch I made. It is based on the
squid-2.4.PRE-STABLE version.
As I am new to squid I do not know if the way I developed the functionality
is right and if it doesn't interfere with other mechanisms in the product.
I would really appreciate comments on it.
The simplest way I found to make it was to use the proxy authentication
mechanism: as this mechanism keeps a context in memory for each
authenticated user, we can easily detect if the page has already been
returned or not to the user.
I think that the most critical point is the configuration aspect.
Configuration will influence both the product behaviour and the code
development. Different possibilities can be used to configure the
functionality:
- adding a new kind of "proxy_auth" acl,
- adding a new kind of "http_access" tag,
- adding a special parameter to the "proxy_auth" acl (which is what I did).
The problem was to block an allowed request ("http_acces allow") only
the first time a user get authenticated ("acl password proxy_auth"):
http_access, proxy_auth, and user are objects used at three different
levels.
The patch is quite simple; main adds are:
- a global variable (const char *RequestBlockingAclMatchedName;) which is:
- set to NULL (in aclMatchAclList)
- assigned to the proxy_auth rule name that blocked the request
(in aclMatchAcl)
- checked (in clientAccessCheckDone) when the answer is ACCESS_ALLOWED
- an integer in the _acl_proxy_auth_user structure
(int request_blocking_done;) used to know if the first request has already
been
blocked (plus time_t validatedtime; used to control the duration of the
blocking period)
- a flag in the _acl structure (acl_flags flags;): it is used with
proxy_auth acl and set to FLAG_ACL_REQUEST_BLOCKING when the parameter
"BLOCK" is present in the proxy_auth parameters.
USAGE:
To use the functionality, you have to add "BLOCK" to the parameters of the
desired proxy_auth acl:
acl password proxy_auth REQUIRED BLOCK
Customisation is made by adding the following lines:
blocking_info FRONT_PAGE password
blocking_ttl 5 seconds
LIMITS:
The following rules will make the user being erroneously marked as if he had
received the page:
http_access deny password
http_access allow password rule2 (if rule2 fails !)
I already have ideas on how to avoid those mistakes but as they are not
grave, there is no hurry to complicate things !.
Thanks
Sebastien.
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:39 MST