Squid 2.6通过mysql_auth方式认证

一、解压缩打补丁

#wget http://people.arxnet.hu/airween/mysql_auth/mysql_auth-0.8.tar.gz
#wget http://www.zero-sys.net/portal/download/additionalselect.patch

#tar xvzf mysql_auth-0.8.tar.gz

#cd mysql_auth-0.8

#patch -p1 <
../additionalselect.patch

patching file src/confparser.c

patching file src/define.h

patching file src/mysql_auth.c

patching file src/mysql_auth.conf

 注：这个补丁主要是增加一个可以暂时封停账号的字段
isactive

 二、建立
mysql_auth
用到的数据库及管理数据库的用户和密码

#cd
/home/soft/squid/mysql_auth-0.8/scripts

#vi create_script

GRANT SELECT,INSERT,UPDATE,DELETE ON
mysql_auth.data TO squid@localhost IDENTIFIED BY 'squid2341
';

 注：这个是规定了
squid
用户使用
squid2341
的密码，管理
mysql_auth
数据库的
data
表

 #/usr/local/mysql/bin/mysql -u root -p <
create_script

Enter password: 这里要手工建立一个isactive的字段，create_script里面没有建立。

 
# /usr/local/mysql/bin/mysql -u squid -p
mysql_auth

Enter password:Welcome to the MySQL monitor.

 mysql> insert into data (user, password,
isactive) values ('liwentao', '123456',’1’);

Query OK, 1 row affected (0.00
sec)

 if you want to store
your passwords in encrypted format:

shell> mysql -u your_user_name -p mysql_auth

Enter password:

Welcome message...

mysql> insert into data (user, password,isactive) values ('liwentao', password("123456"),’1’);

Query OK, 1 row affected (0.00 sec)

三、编译前修改参数

#cd /home/soft/squid/mysql_auth-0.8

#vi Makefile

CFLAGS =
-I/usr/local/include -L/usr/local/mysql/lib

 install:

       
$(INSTALL) -o squid
-g squid
-m 755
mysql_auth /usr/local/squid/libexec/mysql_auth

       
$(INSTALL) -o root -g
root -m 700 mypasswd /usr/local/bin/mypasswd

       
$(INSTALL) -o squid
-g squid
-m 600
$(CONF) /usr/local/squid/etc/mysql_auth.conf

       
$(INSTALL) -o squid
-g squid
-m 600
$(CONF) /usr/local/squid/etc/mysql_auth.conf.default

  #vi ./src/define.h

#define CONFIG_FILE "/usr/local/squid/etc/mysql_auth.conf
"

 #define VAR_HOST_NAME "hostname"

#define DEF_HOST_NAME "localhost"

 /*

 
* username

*/

#define VAR_USER_NAME "user"

#define DEF_USER_NAME "squid
"

 /*

 
* user's (above)
password

*/

#define VAR_USER_PASSWORD
"password"

#define DEF_USER_PASSWORD "squid2341
"

 /*

 
* database name

*/

#define VAR_DATABASE_NAME
"database"

#define DEF_DATABASE_NAME "mysql_auth
"

 /*

 
* socket name

*/

#define VAR_MYSQLD_SOCKET
"mysqld_socket"

#define DEF_MYSQLD_SOCKET "/tmp/mysql.sock
"

 /*

 
* table name

*/

#define VAR_TABLE_NAME "table"

#define DEF_TABLE_NAME "data
"

  /*

 
* user column name

*/

#define VAR_USER_COLUMN
"user_column"

#define DEF_USER_COLUMN "user"

 /*

 
* password column
name

*/

#define VAR_PASSWORD_COLUMN
"password_column"

#define DEF_PASSWORD_COLUMN
"password"

 /*

 
*
var_additionalselect

 
* additional sql-select
stuff

*/

#define VAR_ADDITIONALSELECT
"additionalselect"

#define DEF_ADDITIONALSELECT "AND 1
"

 /*

 
* use encrypted password
format

*/

#define VAR_ENCRYPT_PASSWORD_FORM
"encrypt_password_form"

#define DEF_ENCRYPT_PASSWORD_FORM "no
"

 /*

 
* max length of line in config
file

*/

#define MAXLENGTH 512

 /*

 
* max length of username or
passwords

*/

#define MAX_STRLEN 64

 /*

 
* structure for variable
options

*/

struct my_params {

       
char
*var_host_name;

       
char
*var_user_name;

       
char
*var_user_password;

       
char
*var_database_name;

       
char
*var_mysqld_socket;

       
char
*var_table_name;

char *var_user_column;

       
char
*var_password_column;

       
char
*var_encrypt_password_form;

       
char
*var_additionalselect;

};

  

#vi src/mysql_auth.conf

password      
 
squid2341

mysqld_socket  
/tmp/mysql.sock

additionalselect      
AND isactive =
1

  
 
 
编译安装：

#ln -s /usr/local/mysql/include/ /usr/local/include/mysql

#cd
/home/soft/squid/mysql_auth-0.8

 注意：这里强调下：

#vi Makefile

CFLAGS =
-I/usr/local/include -L/usr/local/mysql/lib

 系统会寻找第一个路径下的
mysql/mysql.h
，第二个路径下的
libmysqlclients.a

所以我就
#ln -s 
/usr/local/mysql/include/
/usr/local/include/mysql
人为制造了一个
mysql
的子目录来满足

 不然会出现以下错误，搞了我半小时，有点郁闷

gcc
-I/usr/local/mysql/include -L/usr/local/mysql/lib  
-c -o
src/mysql_auth.o src/mysql_auth.c

src/mysql_auth.c:24:25:
error: mysql/mysql.h: No such file or directory

src/mysql_auth.c: In
function ‘main’:

src/mysql_auth.c:37:
error: ‘MYSQL’ undeclared (first use in this function)

src/mysql_auth.c:37:
error: (Each undeclared identifier is reported only once

src/mysql_auth.c:37:
error: for each function it appears in.)

src/mysql_auth.c:37:
error: expected ‘;’ before ‘connect’

src/mysql_auth.c:38:
error: ‘MYSQL_RES’ undeclared (first use in this function)

src/mysql_auth.c:38:
error: ‘result’ undeclared (first use in this function)

src/mysql_auth.c:39:
error: ‘MYSQL_ROW’ undeclared (first use in this function)

src/mysql_auth.c:39:
error: expected ‘;’ before ‘row’

src/mysql_auth.c:63:
error: ‘connect’ undeclared (first use in this function)

src/mysql_auth.c:185:
error: ‘row’ undeclared (first use in this function)

make: ***
[src/mysql_auth.o] Error 1

 测试：
mysql_auth

编译安装完毕后

可以使用以下命令直接生成用户密码，也可以删除用户，数据库的名称跟管理数据库的用户和密码都在mysql_auth.conf中设置。

 
#mypasswd lwt
123456

 可以用以下命令删除用户

#mypasswd -d lwt

Squid.conf changes

 

#vi /usr/local/squid/etc/squid.conf

http_port 172.21.41.15:3128 transparent

注意：

http_port

这个还是用作透明代理的配置，监听内网真实网卡

acl inside src 172.21.0.0/16

http_access allow inside

注意：这一部分还是许可内部网络

auth_param basic realm Squid proxy server

auth_param basic program /usr/local/squid/libexec/mysql_auth

auth_param basic credentialsttl 5

auth_param basic children 5

acl mysqlauth proxy_auth REQUIRED

http_access allow mysqlauth

注意：这一部分，是许可用户认证

http_access deny all

启动
squid

#su squid -c "/usr/local/squid/bin/RunCache
&"

 经过测试，如果是内网有其他非
172.21.0.0/16
网段的网络地址，从其他地方路由过来网段比如
10.14.0
.0

在
squid
设置中，是通不过透明代理的设置上网的，因为
acl
没有针对他们地址的许可。

同时对于

http_port 172.21.41.15:3128 transparent也是不要去修改或者增加一个针对

10.14.0

.1

监听，网络是直接设置成

172.21.41.15 3128

的

squid

代理，跟

10.14.0.0/16

段的路径是完全不一样的。

但是这一部分的网络客户，可以通过
ie
、右键属性、连接、局域网设置
172.21.41.15 
3128
的方式上网。

 

 
 
 
而对于原有的内网地址，
172.21.0.0/16
段的客户，还是能透明代理上网！

 同时注意，在数据库中，如果把
isactive
设置成
0
的话，这个账号就会被暂时封掉，表现为再次弹出输入用户名密码的窗口。

 在
sarg
的日志的界面中，显示如下

  
内网地址透明代理的日志
userid
是
ip
地址，用户认证的部分为用户名。