Happy Birth'day, dear my son! :)
This is an authentication module for the Squid proxy server
to authenticate users on an mysql database.
The database is a single table, and the table is a very
simple user-password pair, with plain or encrypted passwords.
There is a utility, called by mypasswd. With this you can add a new user to your pasword database,
update it or delete from. It uses the configuration file, what mysql_auth.
Usage is simple. It accepts a username and password on standard input. It will return OK if the username/password is valid, or ERR if there was some problem. Check syslog messages for reported problems.
mypasswd is also a very simple program: simply type mypasswd with no arguments, and it gives you help about itself. Note, these are the examples about it:
shell> mypasswd user passwordadd a new user if it doesn't exist, or update its password. This form of mypasswd also makes it:
shell> mypasswd user Enter NEW password: Re-enter NEW password: Password record ADDED succesfully.And you can delete a user from database, like this:
shell> mypasswd -d usermysql_auth is released under the GNU General Public License and is available from http://people.arxnet.hu/airween/mysql_auth/.
Mysql_auth tested with MySQL 3.23, 4.0.XX, on Linux and FreeBSD os's.
Installation
Make any changes to the source code you need. For example, set up correctly place of configuration file. See that in define.h.
Review the Makefile, and modify based on target platform or
site requirements. Setting up the mysql.h header and libmysqlclients.a places. Setting up your squid user
and group accounts, and squid root directory.
Setting up correctly the permissions of mysql_auth.conf (mode 600)!
This is very important! This file included a mysql account,
with select, update, insert and delete privileges!
Also very important: if you use mysql.log, be very carefull! It contains all transactions!
For example:
52 Query UPDATE data SET password = password ("1234") WHERE user LIKE 'airween'
After when you edit what you want, type 'make', then 'make install', then 'make clean'.
'Make install' will put 'mysql_auth' into
/usr/local/squid/libexec default, and 'mysql_auth.conf' to /usr/local/squid/etc.
Create database
For store user and password pairs, you need a database, like mysql. It is very simple, one-table database. For create it, you need to run create_script from path/to/your/source/scripts directory.
You can create it like this:
shell> cd path/to/mysql_auth-source/scripts shell> mysql -u your_user_name -p < create_script Enter password: <type your password>To add a user:
shell> mysql -u your_user_name -p mysql_auth
Enter password:
Welcome message...
mysql> insert into data (user, password) values ('joeav', 'joespass');
Query OK, 1 row affected (0.00 sec)
mysql>
or if you want to store your passwords in encrypted format:
shell> mysql -u your_user_name -p mysql_auth
Enter password:
Welcome message...
mysql> insert into data (user, password) values ('joeav', password("joespass"));
Query OK, 1 row affected (0.00 sec)
mysql>
Or try mypasswd:
shell> mypasswd joeav joespassThat's it!
Note: if you set up in mysql_auth.conf the encrypt_password_form to 'yes', mypasswd also uses encrypt form.
Hopefully nobody has problems compiling mysql_auth, and create_script.
Issues when compiling
The Makefile uses the GCC compiler, and assumes that it is in the current PATH. Mysql_auth is known to compile properly on Debian Linux 3.1 without problems. Other operating systems are untested, but use a recent copy of the GNU C compiler.
Problem occur, when you can't setting up mysql header and/or library correctly.
Other, if you use MySQL 4.0 or above, may be you need to use in CFLAGS -lz at last.
Configuration file
Mysql_auth uses a configuration file. It reads just every startup, not every query. The file is /usr/local/squid/etc/mysql_auth.conf. If this path needs to be changed, see define.h.
#define CONFIG_FILE "/usr/local/squid/etc/mysql_auth.conf"
An example configuration file is provided. It looks like
hostname localhost # FQDN hostname or IP address. # if you use it on localhost, and don't use tcp-network to # connect it (use a UNIX socket), you have to set up the # mysqld_socket parameter - see below user squid # mysql user name - mysql administrator sets up. password squid # password of mysql user - mysql administrator sets up. database mysql_auth # mysql database on mysql server - a unique name. mysqld_socket /tmp/mysqld.sock # absolute path of mysql daemon socket # need it, if you use mysqld through UNIX socket, not INET socket # see skip-networking option in my.cnf, the main configuration file # of mysql table data # table name in mysql database - contents two couloms, user and password. # The password store in plain or encrypt format, and of course, case sensitive. user_column user # column name where username exists. password_column password # password name where passwords exists. encrypt_password_form no # if you want to store your passwords in encrypted form # this is case insensitive; 'YES' and 'yes' is same
These values are defaults, when you don't set other, mysql_auth wants to work with these.
All comments start with '#'. Empty line allowed.
When a user provides a username/password, mysql_auth querys from mysql server.
It stops after a user has been successfully authenticated.
Make sure the server can be reached and
is active, or else mysql_auth will return all with errors!
Squid.conf changes
Refer to Squid documentation for the required changes to squid.conf. You will need to set the following lines to enable authentication for your access list -
acl <yourACL> proxy_auth REQUIRED http_access allow password http_access allow <yourACL> http_access deny all
You will also need to review the following directives. The number of mysql_auth children spawned is set with authenticate_children. The number of children needed is site-dependent, so some experimentation may be required to find the best number.
auth_param basic realm Squid proxy server auth_param basic program /usr/local/squid/libexec/mysql_auth auth_param basic credentialsttl 5 auth_param basic children 5
I strongly urge that mysql_auth is tested prior to being used in a production environment. It may behave differently on different platforms. To test it, run it from the command line. Enter username and password pairs separated by a space.
It should behave in the following way -
- Press ENTER to get an OK or ERR message. - Make sure pressing CTRL-C aborts the program. - Test that entering no details does not result in an OK or ERR message. - Test that entering an invalid username and password results in an ERR message. - Test that entering an valid username and password results in an OK message.
Usernames cannot have whitespace in them, passwords can.
If you have any problem until you test it, see your syslog for details.
Contact details
To contact the maintainer of this package, email Ervin Hegedus at airween a.t arxnet d.o.t hu.
Also I have a nice mailing list: https://lists.fsn.hu/mailman/listinfo/mysql-auth
Good Luck! :)