How To: Write Custom Basic Authentication Plugin for Squid in Python

Mission

To write a Python program which can be used to authenticate for Squid proxy server. This is useful when you don’t want to configure complex systems like LDAP, ntlm etc.

Use Cases

  1. When you want to authenticate clients using mysql database.
  2. When you want to authenticate clients using flat files or /etc/passwd file or some custom service on your network.

How to proceed

From auth_param section in squid.conf file:

Specify the command for the external authenticator. Such a program reads a line containing "username password" and replies "OK" or "ERR" in an endless loop. "ERR" responses may optionally be followed by a error description available as %m in the returned error page.

By default, the basic authentication scheme is not used unless a program is specified.

That clearly states that our python program should read a line from standard input (stdin) and write the appropriate response to the standard output (stdout). But there are some issues with I/O. The output should be unbuffered and should be flushed to standard output immediately after the response is known.

So, lets see a small program where we authenticate using a function ‘matchpassword()‘. This function returns True when username, password pair matches and returns False when they mismatch.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#!/usr/bin/python
 
import sys
import socket
"""USAGE:The function returns True if the user and passwd match False otherwise"""
def matchpasswd(login,passwd):
    # Write your own function definition. 
    # Use mysql, files, /etc/passwd or some service or whatever you want
    pass
 
while True:
    # read a line from stdin
    line = sys.stdin.readline()
    # remove '\n' from line
    line = line.strip()
    # extract username and password from line
    username = line[:line.find(' ')]
    password = line[line.find(' ')+1:]
 
    if matchpasswd(username, password):
        sys.stdout.write('OK\n')
    else:
        sys.stdout.write('ERR\n')
    # Flush the output to stdout.
    sys.stdout.flush()

Save the above file somewhere. We save this example file in /etc/squid/custom_auth.py .Now, we have the function for authenticating clients. We need to configure squid to use custom_auth.py . Below is the squid configuration for telling squid to use the above program as basic authenticator.

1
2
3
4
5
6
7
8
9
10
11
# you need to specify /usr/bin/python if your file is not executable and needs an interpreter to be invoked.
# Replace /usr/bin/python with /usr/bin/php , if you write auth program in php.
auth_param basic program /usr/bin/python /etc/squid/custom_auth.py
# how many instances of the above program should run concurrently
auth_param basic children 5
# display some message to clients when they are asked for username, password
auth_param basic realm Please enter your proxy server username and password
# for how much time the authentication should be valid
auth_param basic credentialsttl 2 hours
# whether username, password should be case sensitive or not
auth_param basic casesensitive on

Now, to force clients to authenticate, configure the acls as follow. Below we assume, you want to force all clients on your lan to authenticate for using proxy server.

1
2
3
4
5
6
# acl to force proxy authentication
acl authenticated proxy_auth REQUIRED
# acl to define IPs from your lan
acl lan src 192.168.0.0/16
# acl to force clients on your lan to authenticate
http_access allow lan authenticated

Now, reload/restart squid. That’s all we need to write and use a custom authentication plugin for squid.

Limitation

Username can’t contain spaces. Otherwise program will not be able to parse/extract username, password from standard input.

 

How To: Install PHP-Ming

Yesterday, I came across a library called ming for php which can do wonders while converting videos to .swf (flash), images to .swf and much more. The best thing is that ming provides wrappers in C/C++/PHP/Python/Perl/Tcl etc. So, can be used within any one of these languages. But, the damn thing drove me crazy while installing. It was very tough experience installing it as the available howtos didn’t help much. But finally I somehow managed with the installation and it worked 🙂 So, I thought of writing this how to, so that anyone having the same problem can find it helpful.

Here is a complete howto on installing php-ming in Fedora. (I installed it on Fedora 7 and with php5, but howto is supposed to work with other versions as well.) Though there are rpms available for earlier versions of ming, but I wanted the latest, so installed from source.

Resources:
libming : http://www.libming.net/
PHP : http://php.net/

Step 1

First of all make sure that you have php-devel package, otherwise you will not be able to install ming at all. Do the following as root.

[root@bordeaux root]# rpm -q php-devel [Enter]

If the above command says php-devel is not installed, then fetch php-devel for your php version from here and install as given below, else proceed to step 2.

[root@bordeaux root]# rpm -hiv php-devel-5.2.2-3.i386.rpm [Enter]

Step 2

Download latest version of ming from here.

Step 3

Untar the downloaded package.

[saini@bordeaux saini]# tar -xvzf ming-0.4.0.beta5.tar.gz [Enter]

Step 4

Change directory to ‘./ming-0.4.0.beta5’ and issue ./configure and make as given below

1
2
3
4
[saini@bordeaux saini]# cd ming-0.4.0.beta5 [Enter]
[saini@bordeaux ming-0.4.0.beta5]# ./configure --enable-cXX --enable-php [Enter]
[saini@bordeaux ming-0.4.0.beta5]# make [Enter]
[root@bordeaux ming-0.4.0.beta5]# make install [Enter] (as root)

Step 5

Go to ‘./php_ext’ directory and issue ‘make’ and ‘make install’.

1
2
3
[saini@bordeaux ming-0.4.0.beta5]# cd php_ext [Enter]
[saini@bordeaux php_ext]# make [Enter]
[root@bordeaux php_ext]# make install [Enter] (as root)

Step 6

Open make_modules.sh in your favorite editor and uncomment the line ‘make install’ and run make_modules.sh.

[root@bordeaux php_ext]# bash make_modules.sh [Enter] (as root)

Step 7

Go to ‘./tmp/modules/’ directory and copy ming.so to ‘/usr/lib/php/modules/’

1
2
[root@bordeaux php_ext]# cd tmp/modules/ [Enter]
[root@bordeaux modules]# cp ming.so /usr/lib/php/modules/ [Enter] (as root)

If ming.so is not found in ‘php_ext/tmp/modules/, then update your db using ‘updatedb’ and locate ming.so and if found on locate, then copy it to ‘/usr/lib/php/modules/’. If not found at all, try recompiling or issue some random commands related to make.

Step 8

Go to ‘/usr/local/lib/’ and check if libming.so, libming.so.0 etc. are present there. If yes proceed else I don’t know what to do 🙁

Step 9(a)

Go to ‘/usr/lib/php/modules/’ and issue these commands.

1
2
3
4
[root@bordeaux modules]# ln -s /usr/local/lib/libming.so libming.so (as root)
[root@bordeaux modules]# ln -s /usr/local/lib/libming.so.0 libming.so.0 (as root)
[root@bordeaux modules]# ln -s /usr/local/lib/libming.so.0.3.0 libming.so.0.3.0 (as root)
[root@bordeaux modules]# ln -s /usr/local/lib/libming.so.0.4.0 libming.so.0.4.0 (as root)

Step 9(b)

Go to ‘/usr/lib/’ and issue these commands.

1
2
3
4
[root@bordeaux lib]# ln -s /usr/local/lib/libming.so libming.so (as root)
[root@bordeaux lib]# ln -s /usr/local/lib/libming.so.0 libming.so.0 (as root)
[root@bordeaux lib]# ln -s /usr/local/lib/libming.so.0.3.0 libming.so.0.3.0 (as root)
[root@bordeaux lib]# ln -s /usr/local/lib/libming.so.0.4.0 libming.so.0.4.0 (as root)

Step 10

Restart the httpd service by issuing the command below

[root@bordeaux root]# service httpd restart [Enter] (as root)

Step 11

Write a file ‘/var/www/html/info.php’ with following contents

phpinfo();

and point your web browser to http://localhost/info.php . Now search for ‘ming’ and check whether its enabled or not.

PHP Ming in Fedora

If enabled, yes you have successfully installed php-ming 🙂 Hope this helps.

 

How To: Install Javascript Plugin in Eclipse

Today, I installed Eclipse on my Fedora 7 desktop. Everything is fine, but the default Eclipse does not have a plugin for JavaScript. So , I searched a lot on Google and read a lot of reviews about some JavaScript plugins available for Eclipse. And I finally reached the JSEclipse plugin by Adobe Labs. I had a good experience with it. Its great to work with and if you are looking for a javascript plugin for eclipse, just don’t search any more and install it. JSEclipse can be downloaded from here after registering with Adobe. Following are the simple steps to install the JSEclipse.

Launch Eclipse and do as suggested in images.

Step 1 :

Follow this image :

Help Software Updates Find And Install

Step 2:

Select “Search new features to install” and click next.

Search New Features To Install

Step 3:

Click “New archived site” and select the package or zip file you just downloaded from the above link and click open.

Choose New Archived Site

Step 4: Click OK.

Select Local Zip File And Click Open Then Click OK

Step 5: Check the package if not checked and click next.

Click Finish

Step 6: Check the features you want to install and click next.

Select Features To Install And Click Next

Step 7: Accept Terms and conditions and click next.

Accept Terms And Conditions

Step 8: Click finish and when it ask to restart eclipse just click yes.

Click Finish

Step 9: Voila !! JavaScript plugin is installed now. Have fun with it.

Eclipse With Javascript Plugin

PS: A lot of howtos are pending. Will Try to finish them asap 😀

 

QuadKonsole – Programme Better

Well, the era of Quad Core computing is approaching fast. But everybody can’t just enjoy the computing powers of those high end processors due to very high cost and maintenance(power supply and heat) problems. If you are a programmer and and use linux, then you can at least have a Quad Core Konsole. I found a small application here which can change the way you program and can make programming very easy and fast. It has four konsoles tiled in one single window and comes with very easy navigation controls. You may want to give it a try. Below is a screenshot of QuadKonsole.

Quad Core Konsole

Quad Core Konsole

 

Hack: Mange Fluctuating Wireless

I am trying this small script with a so called gui 😉 . This helps managing my wireless in the extreme conditions. Just a shell script. Run the script as root otherwise it’ll not work.

Get the script here or copy the code below.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/bin/bash
#
#	Author - Kulbir Saini, IIIT Hyderabad.
#	Home - http://saini.co.in/
#	KWirelessManger - Just for fun.(It works ... its not just fun).
#
 
#Give the popup life.
POPUP_LIFE="10"
#kdialog --passivepopup "Welcome to 'KWirelessManager'"  ${POPUP_LIFE} &
#Give your device name for proceeding further. It may be one of wlan0, ra0, eth0, ipw2200 etc...
WLAN_DEVICE="wlan0"
#Give your WLAN host to be connected.
WLAN_HOST="IIIT WLAN"
CONNECTED=0
while [[ 1 ]];
do
	iwlist ${WLAN_DEVICE} scanning 2> /dev/null > /tmp/iwlist.aps
	grep -e "Cell" /tmp/iwlist.aps | tr " " "\t" | cut -f15 > /tmp/iwlist.apadd
	ACCESS_POINTS_IN_RANGE=`wc -l /tmp/iwlist.apadd`
	for ACCESS_POINT_ADDRESS in `cat /tmp/iwlist.apadd`
	do
		iwconfig ${WLAN_DEVICE} ap ${ACCESS_POINT_ADDRESS}
		#kdialog --passivepopup "Connceting to Access Point ${ACCESS_POINT_ADDRESS} ..." ${POPUP_LIFE} &
		echo "Connceting to Access Point ${ACCESS_POINT_ADDRESS} ..."
		WLAN_STATUS=`service network restart | tail -1 | grep "FAILED"`
		if [[ ${WLAN_STATUS} == "" ]];
		then
			#kdialog --passivepopup "You are connected to ${WLAN_HOST}." ${POPUP_LIFE} &
			echo "You are connected to ${WLAN_HOST}."
			CONNECTED=1
			break
		else
			#kdialog --passivepopup "Failed to connect to the Access Point ${ACCESS_POINT_ADDRESS} :(" ${POPUP_LIFE} &
			echo "Failed to connect to the Access Point ${ACCESS_POINT_ADDRESS} :("
			CONNECTED=0
		fi
	done
	if [[ ${CONNECTED} == 1 ]];
	then
		sleep 180;
	fi
done

Please suggest any optimization and do tell if u like it.