Squid 2.6通过mysql_auth方式认证

一、解压缩打补丁

#wget

#wget

#tar xvzf mysql_auth-0.8.tar.gz

#cd mysql_auth-0.8

#patch -p1 < ../additionalselect.patch

patching file src/confparser.c

patching file src/define.h

patching file src/mysql_auth.c

patching file src/mysql_auth.conf

注：这个补丁主要是增加一个可以暂时封停账号的字段isactive

二、建立mysql_auth用到的数据库及管理数据库的用户和密码

#cd /home/soft/squid/mysql_auth-0.8/scripts

#vi create_script

GRANT SELECT,INSERT,UPDATE,DELETE ON mysql_auth.data TO squid@localhost IDENTIFIED BY 'squid2341';

注：这个是规定了squid用户使用squid2341的密码，管理mysql_auth数据库的data表

#/usr/local/mysql/bin/mysql -u root -p < create_script

Enter password:

这里要手工建立一个isactive的字段，create_script里面没有建立。

# /usr/local/mysql/bin/mysql -u squid -p mysql_auth

Enter password:

Welcome to the MySQL monitor.

mysql> insert into data (user, password, isactive) values ('liwentao', '123456',’1’);

Query OK, 1 row affected (0.00 sec)

if you want to store your passwords in encrypted format:

shell> mysql -u your_user_name -p mysql_auth

Enter password:

Welcome message...

mysql> insert into data (user, password,isactive) values ('liwentao', password("123456"),’1’);

Query OK, 1 row affected (0.00 sec)

三、编译前修改参数

#cd /home/soft/squid/mysql_auth-0.8

#vi Makefile

CFLAGS = -I/usr/local/include -L/usr/local/mysql/lib

install:

        $(INSTALL) -o squid -g squid -m 755 mysql_auth /usr/local/squid/libexec/mysql_auth

        $(INSTALL) -o root -g root -m 700 mypasswd /usr/local/bin/mypasswd

        $(INSTALL) -o squid -g squid -m 600 $(CONF) /usr/local/squid/etc/mysql_auth.conf

        $(INSTALL) -o squid -g squid -m 600 $(CONF) /usr/local/squid/etc/mysql_auth.conf.default

#vi ./src/define.h

#define CONFIG_FILE "/usr/local/squid/etc/mysql_auth.conf"

#define VAR_HOST_NAME "hostname"

#define DEF_HOST_NAME "localhost"

/*

 * username

*/

#define VAR_USER_NAME "user"

#define DEF_USER_NAME "squid"

/*

 * user's (above) password

*/

#define VAR_USER_PASSWORD "password"

#define DEF_USER_PASSWORD "squid2341"

/*

 * database name

*/

#define VAR_DATABASE_NAME "database"

#define DEF_DATABASE_NAME "mysql_auth"

/*

 * socket name

*/

#define VAR_MYSQLD_SOCKET "mysqld_socket"

#define DEF_MYSQLD_SOCKET "/tmp/mysql.sock"

/*

 * table name

*/

#define VAR_TABLE_NAME "table"

#define DEF_TABLE_NAME "data"

/*

 * user column name

*/

#define VAR_USER_COLUMN "user_column"

#define DEF_USER_COLUMN "user"

/*

 * password column name

*/

#define VAR_PASSWORD_COLUMN "password_column"

#define DEF_PASSWORD_COLUMN "password"

/*

 * var_additionalselect

 * additional sql-select stuff

*/

#define VAR_ADDITIONALSELECT "additionalselect"

#define DEF_ADDITIONALSELECT "AND 1"

/*

 * use encrypted password format

*/

#define VAR_ENCRYPT_PASSWORD_FORM "encrypt_password_form"

#define DEF_ENCRYPT_PASSWORD_FORM "no"

/*

 * max length of line in config file

*/

#define MAXLENGTH 512

/*

 * max length of username or passwords

*/

#define MAX_STRLEN 64

/*

 * structure for variable options

*/

struct my_params {

        char *var_host_name;

        char *var_user_name;

        char *var_user_password;

        char *var_database_name;

        char *var_mysqld_socket;

        char *var_table_name;

char *var_user_column;

        char *var_password_column;

        char *var_encrypt_password_form;

        char *var_additionalselect;

};

#vi src/mysql_auth.conf

password        squid2341

mysqld_socket   /tmp/mysql.sock

additionalselect       AND isactive = 1

编译安装：

#ln -s  /usr/local/mysql/include/ /usr/local/include/mysql

#cd /home/soft/squid/mysql_auth-0.8

注意：这里强调下：

#vi Makefile

CFLAGS = -I/usr/local/include -L/usr/local/mysql/lib

系统会寻找第一个路径下的mysql/mysql.h，第二个路径下的libmysqlclients.a

所以我就#ln -s  /usr/local/mysql/include/ /usr/local/include/mysql 人为制造了一个mysql的子目录来满足

不然会出现以下错误，搞了我半小时，有点郁闷

gcc -I/usr/local/mysql/include -L/usr/local/mysql/lib   -c -o src/mysql_auth.o src/mysql_auth.c

src/mysql_auth.c:24:25: error: mysql/mysql.h: No such file or directory

src/mysql_auth.c: In function ‘main’:

src/mysql_auth.c:37: error: ‘MYSQL’ undeclared (first use in this function)

src/mysql_auth.c:37: error: (Each undeclared identifier is reported only once

src/mysql_auth.c:37: error: for each function it appears in.)

src/mysql_auth.c:37: error: expected ‘;’ before ‘connect’

src/mysql_auth.c:38: error: ‘MYSQL_RES’ undeclared (first use in this function)

src/mysql_auth.c:38: error: ‘result’ undeclared (first use in this function)

src/mysql_auth.c:39: error: ‘MYSQL_ROW’ undeclared (first use in this function)

src/mysql_auth.c:39: error: expected ‘;’ before ‘row’

src/mysql_auth.c:63: error: ‘connect’ undeclared (first use in this function)

src/mysql_auth.c:185: error: ‘row’ undeclared (first use in this function)

make: *** [src/mysql_auth.o] Error 1

测试：mysql_auth

编译安装完毕后

可以使用以下命令直接生成用户密码，也可以删除用户，数据库的名称跟管理数据库的用户和密码都在mysql_auth.conf中设置。

#mypasswd lwt 123456

可以用以下命令删除用户

#mypasswd -d lwt

#vi /usr/local/squid/etc/squid.conf

http_port 172.21.41.15:3128 transparent

注意：http_port这个还是用作透明代理的配置，监听内网真实网卡

acl inside src 172.21.0.0/16

http_access allow inside

注意：这一部分还是许可内部网络

auth_param basic realm Squid proxy server

auth_param basic program /usr/local/squid/libexec/mysql_auth

auth_param basic credentialsttl 5

auth_param basic children 5

acl mysqlauth proxy_auth REQUIRED

http_access allow mysqlauth

注意：这一部分，是许可用户认证

http_access deny all

启动squid

#su squid -c "/usr/local/squid/bin/RunCache &"

经过测试，如果是内网有其他非172.21.0.0/16网段的网络地址，从其他地方路由过来网段比如10.14.0.0

在squid设置中，是通不过透明代理的设置上网的，因为acl没有针对他们地址的许可。

同时对于http_port 172.21.41.15:3128 transparent 也是不要去修改或者增加一个针对10.14.0.1监听，网络是直接设置成172.21.41.15 3128的squid代理，跟10.14.0.0/16段的路径是完全不一样的。

但是这一部分的网络客户，可以通过ie、右键属性、连接、局域网设置172.21.41.15  3128 的方式上网。

而对于原有的内网地址，172.21.0.0/16段的客户，还是能透明代理上网！

同时注意，在数据库中，如果把isactive设置成0的话，这个账号就会被暂时封掉，表现为再次弹出输入用户名密码的窗口。

在sarg的日志的界面中，显示如下

内网地址透明代理的日志userid是ip地址，用户认证的部分为用户名。