[CentOS] Binding an ip address to an username with SQUID passwod file

Sat Mar 24 16:23:46 UTC 2007
kalinix <calin.kalinix.cosma at gmail.com>

On Sat, 2007-03-24 at 12:06 +0530, Indunil Jayasooriya wrote:
> Hi List, 
> I want to bind an ip address to a username with squid by using squid
> password file. 
> I am using ncsa_auth programme. Below are line that I have added to
> squid.conf file. 
> auth_param basic
> program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd 
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> acl ncsa_users proxy_auth REQUIRED
> http_access allow ncsa_users 
> We are currently browsing internet with usernames and passwords. But
> the problem is a user can access internet from all the workstation
> with his username and password. I do not need it. I only want a user
> to access internet from his machine. 
> Solution to that is binding an ip address to an username. Then, A user
> can access internet from that particular ip. 
> I searche a lot from the internet. I found some info. I tried a lot.
> But I still have not been able to solve this issue. 
> Some info I found from the Internet says perl script can do it. 
> pls see below ulrs for it. 
> http://iits.uap.edu.ph/~jpira/footnotes/squid.html
> http://www.visolve.com/squid/squid30/externalsupport.php
> Pls note that I am not a programmer. So I do not know any perl nor do
> I know any python stuff.
> So I do not want to go with above urls. 
> But, I found an easy method from squid list. Pls see below URLS . 
> http://www.squid-cache.org/mail-archive/squid-users/200208/0033.html
> http://www.squid-cache.org/mail-archive/squid-users/200208/0029.html
> These above URLS are fine for me. The above URLS say,
> put the IP add in squid passwd
> I did it. Pls see below for my squid_passwd file. 
> [root at worldnet ~]# cat /etc/squid/squid_passwd
> indunil:TeiAQ3uqXDQNg:
> www:Oi4THedCcN0nQ 
> web:qsTaT6v2loN5g
> It has bound user indunil to ip address . 
> But user  indunil still can access internet from any ip . Why is that?
> Where did I go wrong? 
>  I think that it is an easy task. 
> Pls help me to solve this issue. It is urgent. 
> -- 
> Thank you
> Indunil Jayasooriya
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

You should check whether you have ip_user_check (locate ip_user_check).
Normally it comes with squid installation, on CentOS it should be
in /usr/lib/squid/.

Then you may want to generate a config file, which should contain the
list of ips and users (like <IP> <USER>).

Then you should add a line in your squid config file (e.g. ip.txt):
external_acl_type IP_USER %SRC %LOGIN /usr/lib/squid/ip_user_check
-f /path/to/config/file/ip.txt

After ncsa acl you should define a new acl like this:

acl IP_USER external IP_USER %SRC %LOGIN

Once this has completed you may want to rewrite the rules, like:

http_access deny !ncsa_users
http_access deny !IP_USER
http_access allow IP_USER
http_access allow ncsa_users

You can check the ip_user_check after you created the config file from a
command line, issuing the comand:

/usr/lib/squid/ip_user_check -f /path/to/config/file/ip.txt

then if you type the right pair ip user you will get an OK message and
if you have an wrong pair you will get an ERR message

For further reading:


(the code might be a little fuzzy)


http://linuxportal.ru/forums/index.php/m/31853/#msg_31853 (is in
russian, but the code is still in english :D )



Appendix: A portion of a book, for which nobody yet has discovered any