Chinaunix首页 | 论坛 | 博客
  • 博客访问: 556288
  • 博文数量: 114
  • 博客积分: 5611
  • 博客等级: 大校
  • 技术积分: 1027
  • 用 户 组: 普通用户
  • 注册时间: 2007-04-19 08:55
文章分类

全部博文(114)

文章存档

2011年(29)

2010年(20)

2009年(1)

2008年(11)

2007年(53)

分类: LINUX

2010-05-16 00:49:43

Squid 2.6通过mysql_auth方式认证

 

一、解压缩打补丁

#wget

#wget

#tar xvzf mysql_auth-0.8.tar.gz

#cd mysql_auth-0.8

#patch -p1 < ../additionalselect.patch

patching file src/confparser.c

patching file src/define.h

patching file src/mysql_auth.c

patching file src/mysql_auth.conf

 

注:这个补丁主要是增加一个可以暂时封停账号的字段isactive

 

二、建立mysql_auth用到的数据库及管理数据库的用户和密码

#cd /home/soft/squid/mysql_auth-0.8/scripts

#vi create_script

GRANT SELECT,INSERT,UPDATE,DELETE ON mysql_auth.data TO squid@localhost IDENTIFIED BY 'squid2341';

 

注:这个是规定了squid用户使用squid2341的密码,管理mysql_auth数据库的data

 

#/usr/local/mysql/bin/mysql -u root -p < create_script

Enter password:

 

这里要手工建立一个isactive的字段,create_script里面没有建立。

 

# /usr/local/mysql/bin/mysql -u squid -p mysql_auth

Enter password:

Welcome to the MySQL monitor.

 

mysql> insert into data (user, password, isactive) values ('liwentao', '123456',’1’);

Query OK, 1 row affected (0.00 sec)

 

if you want to store your passwords in encrypted format:

shell> mysql -u your_user_name -p mysql_auth
Enter password:
Welcome message...
mysql> insert into data (user, password,isactive) values ('liwentao', password("123456"),’1’);
Query OK, 1 row affected (0.00 sec)
 

三、编译前修改参数

#cd /home/soft/squid/mysql_auth-0.8

#vi Makefile

CFLAGS = -I/usr/local/include -L/usr/local/mysql/lib

 

install:

        $(INSTALL) -o squid -g squid -m 755 mysql_auth /usr/local/squid/libexec/mysql_auth

        $(INSTALL) -o root -g root -m 700 mypasswd /usr/local/bin/mypasswd

        $(INSTALL) -o squid -g squid -m 600 $(CONF) /usr/local/squid/etc/mysql_auth.conf

        $(INSTALL) -o squid -g squid -m 600 $(CONF) /usr/local/squid/etc/mysql_auth.conf.default

 

 

#vi ./src/define.h

#define CONFIG_FILE "/usr/local/squid/etc/mysql_auth.conf"

 

#define VAR_HOST_NAME "hostname"

#define DEF_HOST_NAME "localhost"

 

/*

 * username

*/

#define VAR_USER_NAME "user"

#define DEF_USER_NAME "squid"

 

/*

 * user's (above) password

*/

#define VAR_USER_PASSWORD "password"

#define DEF_USER_PASSWORD "squid2341"

 

/*

 * database name

*/

#define VAR_DATABASE_NAME "database"

#define DEF_DATABASE_NAME "mysql_auth"

 

/*

 * socket name

*/

#define VAR_MYSQLD_SOCKET "mysqld_socket"

#define DEF_MYSQLD_SOCKET "/tmp/mysql.sock"

 

/*

 * table name

*/

#define VAR_TABLE_NAME "table"

#define DEF_TABLE_NAME "data"

 

 

/*

 * user column name

*/

#define VAR_USER_COLUMN "user_column"

#define DEF_USER_COLUMN "user"

 

/*

 * password column name

*/

#define VAR_PASSWORD_COLUMN "password_column"

#define DEF_PASSWORD_COLUMN "password"

 

/*

 * var_additionalselect

 * additional sql-select stuff

*/

#define VAR_ADDITIONALSELECT "additionalselect"

#define DEF_ADDITIONALSELECT "AND 1"

 

/*

 * use encrypted password format

*/

#define VAR_ENCRYPT_PASSWORD_FORM "encrypt_password_form"

#define DEF_ENCRYPT_PASSWORD_FORM "no"

 

/*

 * max length of line in config file

*/

#define MAXLENGTH 512

 

/*

 * max length of username or passwords

*/

#define MAX_STRLEN 64

 

/*

 * structure for variable options

*/

struct my_params {

        char *var_host_name;

        char *var_user_name;

        char *var_user_password;

        char *var_database_name;

        char *var_mysqld_socket;

        char *var_table_name;

char *var_user_column;

        char *var_password_column;

        char *var_encrypt_password_form;

        char *var_additionalselect;

};

 

 

#vi src/mysql_auth.conf

password        squid2341

mysqld_socket   /tmp/mysql.sock

additionalselect       AND isactive = 1

 

 

 

 

编译安装:

#ln -s  /usr/local/mysql/include/ /usr/local/include/mysql

#cd /home/soft/squid/mysql_auth-0.8

 

注意:这里强调下:

#vi Makefile

CFLAGS = -I/usr/local/include -L/usr/local/mysql/lib

 

系统会寻找第一个路径下的mysql/mysql.h,第二个路径下的libmysqlclients.a

所以我就#ln -s  /usr/local/mysql/include/ /usr/local/include/mysql 人为制造了一个mysql的子目录来满足

 

不然会出现以下错误,搞了我半小时,有点郁闷

gcc -I/usr/local/mysql/include -L/usr/local/mysql/lib   -c -o src/mysql_auth.o src/mysql_auth.c

src/mysql_auth.c:24:25: error: mysql/mysql.h: No such file or directory

src/mysql_auth.c: In function ‘main’:

src/mysql_auth.c:37: error: ‘MYSQL’ undeclared (first use in this function)

src/mysql_auth.c:37: error: (Each undeclared identifier is reported only once

src/mysql_auth.c:37: error: for each function it appears in.)

src/mysql_auth.c:37: error: expected ‘;’ before ‘connect’

src/mysql_auth.c:38: error: ‘MYSQL_RES’ undeclared (first use in this function)

src/mysql_auth.c:38: error: ‘result’ undeclared (first use in this function)

src/mysql_auth.c:39: error: ‘MYSQL_ROW’ undeclared (first use in this function)

src/mysql_auth.c:39: error: expected ‘;’ before ‘row’

src/mysql_auth.c:63: error: ‘connect’ undeclared (first use in this function)

src/mysql_auth.c:185: error: ‘row’ undeclared (first use in this function)

make: *** [src/mysql_auth.o] Error 1

 

测试:mysql_auth

编译安装完毕后

可以使用以下命令直接生成用户密码,也可以删除用户,数据库的名称跟管理数据库的用户和密码都在mysql_auth.conf中设置。

 

#mypasswd lwt 123456

 

可以用以下命令删除用户

#mypasswd -d lwt

#vi /usr/local/squid/etc/squid.conf
http_port 172.21.41.15:3128 transparent
 
注意:http_port这个还是用作透明代理的配置,监听内网真实网卡
 
acl inside src 172.21.0.0/16
http_access allow inside
注意:这一部分还是许可内部网络
 
auth_param basic realm Squid proxy server
auth_param basic program /usr/local/squid/libexec/mysql_auth
auth_param basic credentialsttl 5
auth_param basic children 5
 
acl mysqlauth proxy_auth REQUIRED
http_access allow mysqlauth
注意:这一部分,是许可用户认证
 
http_access deny all
 

启动squid

#su squid -c "/usr/local/squid/bin/RunCache &"

 

经过测试,如果是内网有其他非172.21.0.0/16网段的网络地址,从其他地方路由过来网段比如10.14.0.0

squid设置中,是通不过透明代理的设置上网的,因为acl没有针对他们地址的许可。

同时对于http_port 172.21.41.15:3128 transparent 也是不要去修改或者增加一个针对10.14.0.1监听,网络是直接设置成172.21.41.15 3128squid代理,跟10.14.0.0/16段的路径是完全不一样的。

但是这一部分的网络客户,可以通过ie、右键属性、连接、局域网设置172.21.41.15  3128 的方式上网。

 

 

 

 

而对于原有的内网地址,172.21.0.0/16段的客户,还是能透明代理上网!

 

同时注意,在数据库中,如果把isactive设置成0的话,这个账号就会被暂时封掉,表现为再次弹出输入用户名密码的窗口。

 

sarg的日志的界面中,显示如下

 

内网地址透明代理的日志useridip地址,用户认证的部分为用户名。

 

 

 

 

阅读(934) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~