MikoAndras.hu/en

Personal pages for Andras MIKO

Squid authentication module

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL.

It is plugin-capable and has a very simple interface to communicate with its helpers.

I’ve had the task managing squid to authenticate from a database created with postfixadmin, a tool used by sysadmins to manage postfix served mailboxes.

This task should not have been difficult, had there been an appropriate helper to do so. Unfortunately for me, but fortunate for security reasons, postfixadmin uses md5crypt to save passwords into the database. This algorithm was pioneered by FreeBSD and currently in use as a replacement for the unix crypt(3) function in many modern systems. And there was no support for this particular encryption algorithm in squid. I should mention there is no out-of-the box support for authenticate users from databases either.

My solution got based on an available helper, mysql_auth, written by Ervin Hegedus

As the name implies, this helper authenticates from mysql databases. Passwords are stored as plain text or encrypted with mysql’s built-in password() function. All the work needed was to extend the abilities to accept choices for md5crypt algorithm, and in the same effort for md5 too.

The project is hosted on freshmeat.net, from my site is the latest changelog available, modified module page, as well as the source code v0.8.6.

My versions until now:

If you are wondering how i could modificate a module written in C, as i am a web-developer, here are the main elements:

  • Squid communicates as easy with helpers, as it just can get
  • PHP is derived from C so it’s mostly just syntax difference between them
  • I had help from friends which tool to use for validating the compiled module
  • Last but not least, Squid has an active and helpful developer mailing-list on squid-dev [at] squid-cache [dot] org

Easy communication:

Every squid helper is written as an endless loop. This is by design. When a helper is needed, squid start one and stores the pipe to it in memory. In case of a helper dying away, squid simply start an new one.

The best way to test any squid authentication module is, to start one from cli. It should be fed with username password pairs one on each line separated by space, and after authentication it should give ERR or OK back on stdout. It is as simple as it can get, because there is no checking what went wrong, squid only cares about if it is a successful pair or not.

Syntax differences:

PHP syntax is mostly the same as in C, but the underlying theories aren’t.

Helpful friends:

I’ve had many helps from friends along the way. The first was to permit me using an actual prod-test environment with installed squid. This was crucial in the development process to create real usable code. The second were the code reviews, they ensured i don’t fall into pitfalls of bad routes.

Squid development mailing list:

The guys at the mailing-list were very helpful on the first occasion, and since. They have a great community to develop a great application.

I’ve used a debian etch system for development, vim for code writing and valgrind to test the module as best as i could.

, , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>