| Joomla-Squid Proxy Authentication with Autoconfiguration Howto |
|
|
| Written by David | |
|
Only recently I was required to set up some Internet Access restrictions and rules on a network for external websites. An internal Intranet was being used with Joomla, and Squid was in-place as a transparent proxy. I decided to write a very basic PHP Script to do Internet authentication since the Proxy and Intranet were on the same server. (It wouldn't be hard to port this script to Python/Perl or anything else you like): <?php /* Desert Crystal Solutions */ # Joomla Configuration File include_once("<CHANGE THIS PATH TO YOUR JOOMLA INSTALLATION>/config.php"); # Grab STDIN Input if (!defined('STDIN')) { define("STDIN", fopen("php://stdin", "r")); } # Parse multiple authentication requests from Squid while (!feof(STDIN)) { # get STDLIN contents from request $line = trim(fgets(STDIN)); $fields = explode(' ', $line); # check that 2 parameters have been parsed to the script # in the form of "username password" # fail if this is incorrect if (count($fields) != 2) die("ERROR: Input incorrect\n"); # record username and password $username = rawurldecode($fields[0]); //1738 $password = rawurldecode($fields[1]); //1738 # start a basic MySQL connection to the host configured in Joomla $conn=mysql_connect($mosConfig_host,$mosConfig_user,$mosConfig_password); @mysql_select_db($mosConfig_db) or die( "Unable to select database"); # query the username and password from Squid's Authentication $query = "SELECT id FROM `".addslashes($mosConfig_dbprefix)."users` " ."WHERE `block` = '0' AND `username` = '".addslashes($username)."' " ."AND `password` = '".addslashes(md5($password))."'"; $result=mysql_query($query); # check that there are results for the query if (@mysql_numrows($result)) { # return OK on STDOUT (Authentication Successful) fwrite(STDOUT, "OK\n"); } else { # return ERR on STDOUT (Authentication Failure) fwrite(STDOUT, "ERR\n"); } } # close all MySQL connections gracefully mysql_close($conn); ?> Setting it up in Squid was as easy as adding/editing the following lines within the /etc/squid/squid.conf file, including a nippit of what I did for allowing some domains to be bypassed by the authentication. auth_param basic program /usr/bin/php /etc/squid/joomla_auth auth_param basic children 5 auth_param basic realm Internet Access auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl internetpassword proxy_auth REQUIRED acl auth_bypass dstdomain "/etc/squid/bypass" http_access allow auth_bypass http_access allow internetpassword http_access deny all
ournetwork.lan ourwebsite.com desertcrystal.com In the end, the configuration looked similar to this: /etc/squid/joomla_auth ## Authentication script as above /etc/squid/squid.conf ## Squid Configuration file /etc/squid/bypass ## List of Domains to be bypassed by authentication /var/www/ ## Joomla Directory of installation /usr/bin/php ## Path to PHP on the system (This changes from distro to distro so check it first with "which php") Make sure you always include extra access controls to restrict external access to your proxy server. This isn't covered above but is outlined in the default Squid Configuration files that come pre-installed with Squid.
Additionally, I also set up WPAD to provide automatic proxy configuration for Firefox and other web browsers/programs on the network (To make my life so much easier ofcause!).
My WPAD script ended up looking like this: function FindProxyForURL(url,host) { if(isPlainHostName(host)|| isInNet(host,"10.0.0.0","255.0.0.0")) return "DIRECT"; else return "PROXY wpad.ournetwork.lan:8080; DIRECT"; }With all that done, go to Firefox -> Tools -> Options -> Advanced -> Network -> Settings and make sure "Auto-detect proxy settings for network" is checked. You can find this in Internet Explorer under Tools -> Internet Options -> Connections -> LAN Settings called "Automatically detect settings". Have fun. |
| Next > |
|---|