Squid_ The Definitive Guide - Duane Wessels [115]
./configure —enable-external-acl-helpers=unix_group
This helper looks for usernames in the Unix group database (e.g., /etc/group file). You specify the groups to check on the helper command line as follows:
external_acl_type unix_group_helper %LOGIN
/usr/local/squid/libexec/check_group -g group1 -g group2 ...
acl AclName external unix_group_helper
Alternatively, you can specify groups on the acl line. This allows you to use the same helper for different groups:
external_acl_type unix_group_helper %LOGIN /usr/local/squid/libexec/check_group
acl AclName1 external unix_group_helper group1 ...
acl AclName2 external unix_group_helper group2 ...
wbinfo_group
./configure —enable-external-acl-helpers=wbinfo_group
This helper is a short Perl script that utilizes the wbinfo program from the Samba package. wbinfo is a client for the winbindd daemon. The script expects a single Unix group name following the username on each request. Thus, you must put a group name on the acl line:
external_acl_type wbinfo_group_helper %LOGIN /usr/local/squid/libexec/wbinfo_group.pl
acl AclName external wbinfo_group_helper group
winbind_group
./configure —enable-external-acl-helpers=winbind_group
This helper, written in C, also queries a winbindd server about group membership of Windows NT usernames. It is based on the winbind helpers for Basic and NTLM authentication. You can specify multiple group names on the acl command line:
external_acl_type winbind_group_helper %LOGIN /usr/local/squid/libexec/wb_check_group
acl AclName external winbind_group_helper group1
group2 ...
Write Your Own
The external ACL interface offers a lot of flexibility. Chances are you can use it to implement almost any access control check not supported by the built-in methods. Writing an external ACL is a two-step process. First, you must decide what request information the helper program needs to make a decision. Place the appropriate keywords on an external_acl_type line, along with the pathname to the helper program. For example, if you want to write an external ACL helper that uses the client's IP address, the user's name, and the value of the Host header, you would write something like:
external_acl_type MyAclHelper %SRC %LOGIN %{Host}
/usr/local/squid/libexec/myaclhelper
The second step is to write the myaclhelper program. It must read the request tokens on stdin, make its decision, then write either OK or ERR to stdout. Continuing with the previous example, this Perl script illustrates how to do it:
#!/usr/bin/perl -wl
require 'shellwords.pl';
$|=1;
while (<>) {
($ip,$name,$host) = &shellwords;
if (&valid($ip,$name,$host)) {
print "OK";
} else {
print "ERR";
}
}
sub valid {
my $ip = shift;
my $name = shift;
my $host = shift;
...
}
Refer to Section 6.1.3 for the list of tokens (%SRC, %LOGIN, etc.) that you can pass from Squid to the helper. Note that when a token contains whitespace, Squid wraps it in double quotes. As the example shows, you can use Perl's shellwords library to parse quoted tokens easily.
Of course, to utilize the external ACL, you must reference it in an acl line. The ACL element is a match whenever the external helper returns OK.
The external ACL helper interface allows you to pass additional information from the helper to Squid (on the OK/ERR line). These take the form of keyword=value pairs. For example:
OK user=hank
Currently, the only keywords that Squid knows about are error and user. If the user value is set, Squid uses it in the access.log. The error value isn't currently used by Squid.
Exercises
Write a fake helper for Basic authentication that always returns either OK or ERR.
Use tcpdump or ethereal to capture some HTTP requests. Decode the authorization credentials.
If you're using NTLM, capture some HTTP requests and attempt a replay attack.
Kill Squid's authentication helper processes one-by-one while running tail -f cache.log.
Find out what happens to your favorite NTLM-based authenticator when it can't communicate with the NT domain controller.
Chapter 13. Log