Ok, I'm not sure if this makes sense but I have some special needs and can't quite figure out how to implement them.
I am using Dansguardian to determine if something is porn, and I modified it to set a header (X-Naughty and X-Naughty-Why) so that the page would still go through, but squid should be able to identify it as naughty. Now, I need to authenticate users _without_ basic authentication (because I'm using transparent proxying, and I want authentication to be optional anyway, only when a site is blocked), and I also can't use NTLM because we are not using domains and windows username have no correlation to their network login. So, my idea is to have an authentication module that doesn't actually authenticate but holds a struct of username/ip pairs, and a timeout timestamp. Now, since this won't actually do anything since there is no way to get the username/ip pairs in there I need a pipe or ipc to send that info to squid. The way I envision it working is, people can browse freely and unlogged until they get a page that dansguardian blocks, at which time they are sent to a login page (probably php here) that authenticates them to the network (using whatever method your network uses), then sends the username/ip pair to squid and is put in the struct. Then when squid sees the X-Naughty header, and the user is logged in (and the current time is before the timestamp) then it will allow the page through but log it. There are several caveats here which is why this is the only way I can think of to do it. 1) we only want to log porn sites, not every site the user goes to. 2) we only want users to log in *if* they want to, to bypass the filter with knowledge that it will be logged. 3) it needs to be very fast and I don't think an external auth module could do the job 4) adding a naughty header is the only way i could see the page going through for logged in users but allow squid to identify it. the setup is like user <-> squid <-> dansguardian <-> squid <-> internet both the squids are the same process, it just uses ip src from dansguardians ip to send the request out to the internet. So, has anyone done anything like this? Can this be done? right now I'm trying to make squid match arbitrary headers but every ACL file there now matches headers that are in enum.h, how can I match unknown arbitrary headers? and second, is my authentication idea possible? is it plausible? are there better ways of doing it? Thanks ! :) Joshua Brindle UNIX Administrator Southern Nazarene University
