Squid external acl scheme

This work aims at implementing a extensible external acl scheme for squid, driven by helpers.

Note: This project has been finished, and is now part of the mainline Squid sources since Squid 2.5.STABLE1. Because of this these pages is no longer actively updated and may differ slightly from the functionality found in Squid. The authorative source for configuration syntax etc is the squid.conf.default documentation. These pages is kept for a while as historic reference.

This to allow implementation of

Groups

by querying if this user belongs to a given group

Complex authorization checks

by combining for example userid + IP, and make sure the user is using his assigned IP address.

and many more

Contents

Guidelines

Basig guidelines by which this is designed

Configuration

Description of the configuration syntax

Available helpers using the interface

ident lookups

The external_acl_fuzzy patch includes a ident lookup helper. Together with the patch this provides the capability of per source-IP ident lookups.

check_ncp_group by Vincent Gardien

Check belonging of Novell users in Novell specified groups using the NCP stack provided by ncptools.This works with true Novell servers 4.x and 5.x with and without IPX support.

wbinfo_group by Jerry Murdock

LDAP Group by MARA Systems AB

Allows you to control users access based on LDAP group memberships

check_group by Rodrigo Campos.

Allows you to control users access based on UNIX group memberships

ip_user by Rodrigo Campos.

Allows you to restrict users to their specific IP addresses based on a simple file listing the users and their IP address/network.

Progress

2004-03-20 external_acl_fuzzy patch

The external_acl_fuzzy patch has been published. This patch adds the capability to cache external acl lookups at higher levels only using part of the lookup data, and also adds a number of new format directives for matching local/remote port numbers etc. The new format directives are already available in Squid-3.0, but the extended caching requires some additional work before it can get merged.

ext_user acl type (Squid-3)

ext_user/ext_user_regex acl types added to match username returned by external acl processing.

2003-05-29 overlapping requests (Squid-3)

Support for overlapping requests added, where the helper can support multiple concurrent requests, compared to the single request at a time per helper process original design.

2003-05-20 tagging of requests (Squid-3)

Concept or request tagging introduced, where external acls may tag requests with information later used in other acl elements, allowing more expressive matches than just "true/false".

2003-02-27 %LOGIN fixed

%LOGIN fixed to require authentication if the user is not yet authenticated

2002-12-09 SSL related directives added (Squid-3)

Format directives for matching SSL certificate information has been added

2002-09-07 Quoting of helper arguments

squid.conf parser fixed to allow quoting of helper arguments

2002-08-21 %PATH directive (Squid-3)

Andrew Wansink implemented a %PATH directive for accessing the urlpath component from external_acl. This was intentionally left out from the original design in favor for the redirector interface, but Andrew convinced us there is good reasons for having this in external_acl.

2002-07-11 helper for Novell group validations

Vincent Gardien has published a small external_acl helper check_ncp_group to verify Novell group memberships using the ncptools package.

2002-07-05 wbinfo_group helper added to the Squid distribution

The wbinfo_group helper by Jerry Murdock has been added to the development version of Squid. Can be found in the directory helpers/external_acl.

2002-07-04 winbind group helper by Jerry Murdock

Jerry Murdock posted a Perl wrapper around the winbind wbinfo command for Windows NT group lookups on squid-users.

2002-06-23 helpers added to the Squid distribution

The ip_user, ldap_group and unix_group helpers have been added to the development version of Squid. Can be found in the directory helpers/external_acl.

2002-06-23 squid_ldap_match helper

MARA Systems AB, Sweden has published their helper for LDAP group membership checks

2002-06-23 Project completed

The external_acl patch is now fully completed and tested and has been merged into Squid-2.5 and later.

2002-04-26 ip_user helper

Rodrigo Campos has written yet another external_acl helper to base access controls on IP and user.

2002-04-18 UNIX group check helper available

Rodrigo Campos has written a external_acl helper to base access controls on UNIX group membership.

2001-12-02 Opimization of parallell lookups

Multiple identical parallell lookups are now collapsed into one call to the helper. This to avoid helper request storms when a highly used entry expires and the lookup takes a while to complete.

2001-12-01 Bugfixing

Option processing, and some memory leaks

2001-11-30 Cleanup

The configuration directives have been collapsed into one with a couple of optional options. The result cache can now be limited in size.

2001-11-17 Some bug fixes

Was leaking a bit of memory. Adjusted logging to normal levels.

2001-11-17 List header members

Support for list header members have beein implemented

2001-07-17 Statistics added

Statistics has been added, and it now also manages queue overload more gracefully

2001-07-18 Implementation completed

The implementation has been completed

2001-07-18 Draft implementation tested

Most aspects of the draft implementation has now been tested

2001-07-17 Draft implementation

All features except for the actual external lookup has been implemented. This includes; parser, query formatter, ACL interface, status cache.

2001-07-16 Parser

The configuration parser has been completed

2001-07-12 Configuration format

Configuration format have been defined

2001-07-12 Documentation

Initial documentation written

To do

Fyzzy matches

Add support for "fuzzy" cache matches. If the helper finds that the result is not dependent on all supplied arguments then allow the helper to indicate which arguments are needed and cache on these alone.

Soft ttl

To avoid having to wait for the acl lookup to complete each time the ttl expires, use a soft ttl where cached acls are refreshed before they expire without having to wait for the result.

Known issues

%SRC_DOMAIN not supported

Originally it was planned to include a %SRC_DOMAIN format type, but this has been dropped due to time constraints. Can easily be added later.

%ACL not supported

Originally it was planned to include a %ACL format type, expanding into the referencing acl name. However, this information is not readily accessible in the acl match routine. If %ACL is needed then it may be possible to work around this API limitation by using the AclMatchedName hack.