LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement

Linux Content

All Articles

Interviews

Linux in the Enterprise

Security Alerts


Linux Topics

Administration

Browsers

Caching

Certification

Community

Database

Desktop

Device Drivers

Devices

Email

Firewalls

Game Development

Getting Started

Kernel

LDAP

Multimedia

Networking

PDA

Programming

Security

Tools

Utilities

Web Design and Development

X Window System


Authentication and Squid
Pages: 1, 2, 3

Contributed authentication modules

The contributed authentication modules are available at http://www.squid-cache.org/related-software.html. At the time of writing, there is a RADIUS authenticator, a modification of the standard LDAP authenticator for non-anonymous servers, and a patch which supports static and dynamic LDAP group look-ups.



How Squid processes authentication

Squid uses sub-processes to process authentication requests to avoid being blocked by slow connections. The authentication sub-processes are connected to Squid by standard Unix pipes and Squid communicates with them via stdin and stdout. The sub-process responds with "OK" or "ERR", depending on the success of the authentication.

Because every request must be authenticated, Squid caches the name/password pairs along with the results from successful authentications for a configurable number of seconds. This enables Squid to send requests for each item on a page, yet require only one authentication from the user's client.

Because of the cache, it is impractical for multiple users to share a login name. Squid uses splay trees to handle the internal cache; these don't respond well to duplicate keys.

Caveats and gotchas

  • Authentication headers are consumed by the first proxy that requires them, and sometimes aren't passed on by proxies that don't need them.

  • The user authentication, ACL, reverses the usual ACL logic. http_access allow localusers acts as if it read http_access deny !localusers.

  • Access control lists have an implicit last line which reverses the rule of the last explicit line.

Final words

Now the boss is off your neck and your proxy authentication is working -- go grab yourself a drink and put your feet up. Unless he's after you to do the next job....

Further reading

Jennifer Vesperman is the author of Essential CVS. She writes for the O'Reilly Network, the Linux Documentation Project, and occasionally Linux.Com.

Return to the Linux DevCenter.

Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!

Recommended for You

Tagged Articles

Be the first to post this article to del.icio.us

Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


    		•

    Sponsored by: