CP, transparent squid and CP credentials as squid user possible?
-
Hi guys,
i just registered to get my question resolved. I use pfSense for about 10 years now, so i'm not exactly a noob. In fact i'm a self employed networking and security consultant…
Setup:
pfSense 2.2.6
Squid 2 (4.3.10)
squidGuard (1.9.18)
other installed packages: bandwidthd, SargSquid runs in transparent mode. This is a hard requirement, because of the local WAF - i assume you're familiar with the "woman's acceptance factor". The local one around here is very low... :) WPAD isn't an option either because of smartphones, tablets and guests with mobile devices in my WLAN.
I got CP with vouchers, Squid and squidGuard running just fine. Now i'm struggling with the details.
Basically i want to reglement internet access for my 10 yo daughter. Her laptop IP is on CP. Login with local user works, vouchers work, squidGuard restrictions based on her IP work.
My intention here is: If she logs in with User/PW, restrictive squidGuard rules apply, basically some learning platforms. But together with her allowance she gets a voucher to access internet freely until it's used up. Therefore i need to know if she's using a voucher or not. Even without voucher she should be able to access the restricitve whitelist anytime.
Unfortunately squidGuard doesn't know anything about the CP user. Is a setup like i described even possible? If yes, manual squid/squidGuard configuration isn't a problem. I just don't know how to access the CP user from within squid.
Thanks!
-Walter
PS: I'm open to different approaches too! ;)
-
FollowUp to myself.
I just dived into the PHP code and learned how to extract the current CP users. They're stored in a sqlite DB, simple enough to extract:
echo "select ip, username from captiveportal;" | sqlite3 /var/db/captiveportalZONENAME.db
or something like:
echo "select username from captiveportal where ip == 'XXX';" | sqlite3 /var/db/captiveportalZONENAME.db
Now, does anyone know how to build a squidGuard ACL out of this? :)
-Walter
-
I'm starting to feel lonely… :)
Ok, Squid Authentication isn't possible, because squid doesn't allow to set a user manually (for several reasons).
squidGuard is very limited when it comes to src ACLs - i just learned that yesterday, unfortunately i'm no squidGuard expert. There's no way to set src ACLs based on other things than authenticated usernames or source IPs.
The only way i see so far is writing a script that
- extracts the current user with a given IP from the CP database
- depending on the user rewrites the squidGuard configuration on the fly
- restarts squidGuard if there's a change (killall squidguard, squid -k reconfigure or whatever)
Then run it by cron every minute
That's what i'll do now. Thanks for listening. I'm still open to other approaches.
-Walter
-
What you aim for is also pretty much what I aim for! :D
Except I don't use Squid for blocking but rather, the Firewall feature itself.
Also, compared to you, I'm a networking "baby" lol.I think you would be interested in reading my post: https://forum.pfsense.org/index.php?topic=110035 Good luck to us! ;)
-
I am interested in this solution, but….
:-[