- 论坛徽章:
- 0
|
更进一步:squid基于mysql的用户+ip绑定认证
昨天写的《用php写一个squid验证辅助器(authentication helper)》实现了squid基于mysql的用户帐号认证,今天再进一步修改一下程序,支持基于mysql的用户+ip绑定认证功能。
使用/etc/squid/acl_valid_user.txt存放用户的ip和帐号信息,ip和帐号以空格分隔,帐号与mysql数据表里的用户帐号是一致的,格式如下:
192.168.1.100 pangty
192.168.1.200 test |
相应的修改squid.conf,使用ip_user_check来进行帐号与ip的关联检查
external_acl_type ip_user_check children=5 %SRC %LOGIN /usr/lib/squid/ip_user_check -f /etc/squid/acl_valid_user.txt
acl acl_ip_user_check external ip_user_check
acl acl_valid_user proxy_auth REQUIRED
http_access allow acl_valid_user acl_ip_user_check
http_access deny all
auth_param basic program /usr/lib/squid/my_auth.php
auth_param basic children 5
auth_param basic realm 互联网访问权限验证
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on |
my_auth.php验证辅助程序加入对acl_valid_user.txt的验证,原来在mysql里创建的squid表作废。
#!/usr/bin/php
<?php
ini_set("display_errors", false);
$datafile = "/etc/squid/acl_valid_user.txt";
function valid($u, $p, $sql_link) {
$result = false;
$res = mysql_query("select pw_passwd from vpopmail where pw_name='$u'", $sql_link);
$rows = mysql_num_rows($res);
if (1 == $rows) {
$data = mysql_fetch_object($res);
$passwd = $data->pw_passwd;
if ($passwd == crypt($p, $passwd)) {
$result = true;
}
}
return $result;
}
$data = file_get_contents($datafile);
$line = preg_split ("/\n/", $data);
foreach ($line as $l) {
$l = trim($l);
if (!empty($l)) {
list($k, $v) = preg_split("/ +|\s+/", $l);
$userarr[$v] = $k;
}
}
while (!feof(STDIN)) {
$sql_link = mysql_connect("x.x.x.x", "xxx", "yyy");
mysql_select_db("vpopmail", $sql_link);
$input = trim(fgets(STDIN));
list($u, $p) = split(" ", $input);
$username = rawurldecode($u);
$password = rawurldecode($p);
if (array_key_exists($username, $userarr) && valid($username, $password, $sql_link)) {
fwrite(STDOUT, "OK\n");
} else {
fwrite(STDOUT, "ERR\n");
}
mysql_close($sql_link);
}
?>
|
[ 本帖最后由 pangty 于 2008-10-1 20:14 编辑 ] |
|