< August 2006 >
SuMoTuWeThFrSa
   1 2 3 4 5
6 7 8 9101112
13141516171819
20212223242526
2728293031  
Wed, 30 Aug 2006:

Thanks to all my firefox proxy.pac DNS irritations, I finally decided to ditch my ssh -D socks proxy for a tunnel into a squid. While I set up the firewall and enough protection for the proxy, I wanted to enable password protection on it. But basic authentication is not much of a protection and I didn't want to create a dummy user in the systtem to use this. Basically, I wrote my own squid authenticator - a simple enough task in hindsight.

If you inspect your default squid.conf, you'll find a line somewhat like this. This is your authenticator hook, which is a program which reads a single line in and outputs either "OK" or "ERR".

auth_param basic program  <uncomment and complete this line>

Now, after I know how the authentication works, it was as easy as pi. A simple enough script in whatever language you're comfortable in will do - I prefer python over perl and this sample's in py.

#!/usr/bin/python
import os, sys,re

LINE_PAT = re.compile("([a-z_]*) (.*)\n")

u = sys.stdin.readline()
while u:
    m = LINE_PAT.match(u)
    if m:
        (user,pw) = m.groups()
        if authenticate(user,pw):
            print "OK"
        else:
            print "ERR"
    else:
        print "ERR"
    sys.stdout.flush()
    u = sys.stdin.readline()

sys.exit(0)

Define your own version of authenticate, for example mine accepts a password that is "<fixed>.<OTP>" and the OTP is regenerated every 4 hours (not a very secure channel for transmitting that, but it works). You could probably build something similar to what RSA keycards use, which is basically the same principle.

auth_param basic program  /usr/local/bin/sq_custom_auth
acl password proxy_auth REQUIRED
# password protected
http_access allow password

Voila, you have a squid authentication that doesn't need a system account. Of course, there are more proper ways of doing this - like backing it with Mysql, LDAP or even RADIUS. But for a non-sysadmin like me, it needn't scale or be absolutely bulletproof. Probably took me much less time to do this, than write out this blog entry. But I wrote this so that sometime later, I can come back and look at this instead of remembering how to do this.

--
Always think of something new; this helps you forget your last rotten idea.
               -- Seth Frankel

posted at: 08:23 | path: /hacks | permalink | Tags: , ,