From: hno <>
Date: Wed, 3 May 2000 03:35:24 +0000 (+0000)
Subject: hno squid-2.3.STABLE1.strict_authenticate_ip_ttl.patch [variant there of]
X-Git-Tag: SQUID_3_0_PRE1~1997
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=70a7603300170e2fe8fc2b9d2602bb945f9ae765;p=thirdparty%2Fsquid.git

hno squid-2.3.STABLE1.strict_authenticate_ip_ttl.patch [variant there of]
Squid-2.3.STABLE1: strict authenticate_ip_ttl option

Changed authenticate_ip_ttl to have an strict option, enforcing that
the user comes from one IP address only.

Changes from the patch: Added another squid.conf directive for enabling
this rather than overloading the authenticate_ip_ttl option with negative
values..
---

diff --git a/src/acl.cc b/src/acl.cc
index f992cc1ab9..294cf1ce12 100644
--- a/src/acl.cc
+++ b/src/acl.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: acl.cc,v 1.215 2000/05/02 20:22:54 hno Exp $
+ * $Id: acl.cc,v 1.216 2000/05/02 21:35:24 hno Exp $
  *
  * DEBUG: section 28    Access Control
  * AUTHOR: Duane Wessels
@@ -1145,13 +1145,21 @@ aclMatchProxyAuth(void * data, const char *proxy_auth, acl_proxy_auth_user * aut
 		return 0; /* NOTREACHED */
 	    }
 	} else {
-	    /* user has switched to another IP addr */
-	    debug(28, 1) ("aclMatchProxyAuth: user '%s' has changed IP address\n", user);
-	    /* remove this user from the hash, making him unknown */
-	    hash_remove_link(proxy_auth_cache, (hash_link *) auth_user);
-	    aclFreeProxyAuthUser(auth_user);
-	    /* require the user to reauthenticate */
-	    return -2;
+	    if (Config.onoff.authenticateIpTTLStrict) {
+		/* Access from some other IP address than the one owning
+		 * this user ID. Deny access
+		 */
+		debug(28, 1) ("aclMatchProxyAuth: user '%s' tries to use multple IP addresses!\n", user);
+		return 0;
+	    } else {
+		/* user has switched to another IP addr */
+		debug(28, 1) ("aclMatchProxyAuth: user '%s' has changed IP address\n", user);
+		/* remove this user from the hash, making him unknown */
+		hash_remove_link(proxy_auth_cache, (hash_link *) auth_user);
+		aclFreeProxyAuthUser(auth_user);
+		/* require the user to reauthenticate */
+		return -2;
+	    }
 	}
     } else {
 	/* password mismatch/timeout */
diff --git a/src/cf.data.pre b/src/cf.data.pre
index 47429c3844..d9d9392fd9 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1,6 +1,6 @@
 
 #
-# $Id: cf.data.pre,v 1.176 2000/05/02 20:58:30 hno Exp $
+# $Id: cf.data.pre,v 1.177 2000/05/02 21:35:24 hno Exp $
 #
 #
 # SQUID Internet Object Cache  http://squid.nlanr.net/Squid/
@@ -1006,20 +1006,19 @@ DOC_START
 DOC_END
 
 NAME: authenticate_ttl
-TYPE: int
-DEFAULT: 3600
+TYPE: time_t
+DEFAULT: 1 hour
 LOC: Config.authenticateTTL
 DOC_START
-	The time a checked username/password combination remains cached
-	(default 3600). If a wrong password is given for a cached user,
-	the user gets removed from the username/password cache forcing
-	a revalidation.
+	The time a checked username/password combination remains cached.
+	If a wrong password is given for a cached user, the user gets
+	removed from the username/password cache forcing a revalidation.
 DOC_END
 
 NAME: authenticate_ip_ttl
-TYPE: int
+TYPE: time_t
 LOC: Config.authenticateIpTTL
-DEFAULT: 0
+DEFAULT: 0 seconds
 DOC_START
 	With this option you control how long a proxy authentication
 	will be bound to a specific IP address. If a request using
@@ -1031,9 +1030,22 @@ DOC_START
 	port.
 
 	The default is 0 to disable the check. Recommended value
-	if you have dialup users are no more than 60 (seconds). If
-	all your users are stationary then higher values may be
-	used.
+	if you have dialup users are no more than 60 seconds to allow
+	the user to redial without hassle. If all your users are
+	stationary then higher values may be used.
+
+	See also authenticate_ip_ttl_is_strict
+DOC_END
+
+NAME: authenticate_ip_ttl_is_strict
+TYPE: onoff
+LOC: Config.onoff.authenticateIpTTLStrict
+DEFAULT: on
+DOC_START
+	This option makes authenticate_ip_ttl a bit stricted. With this
+	enabled authenticate_ip_ttl will deny all access from other IP
+	addresses until the TTL has expired, and the IP address "owning"
+	the userid will not be forced to reauthenticate.
 DOC_END
 
 COMMENT_START
diff --git a/src/structs.h b/src/structs.h
index 76debdfecd..919d626af8 100644
--- a/src/structs.h
+++ b/src/structs.h
@@ -1,6 +1,6 @@
 
 /*
- * $Id: structs.h,v 1.327 2000/05/02 21:21:09 hno Exp $
+ * $Id: structs.h,v 1.328 2000/05/02 21:35:24 hno Exp $
  *
  *
  * SQUID Internet Object Cache  http://squid.nlanr.net/Squid/
@@ -325,8 +325,8 @@ struct _SquidConfig {
 #endif
     int redirectChildren;
     int authenticateChildren;
-    int authenticateTTL;
-    int authenticateIpTTL;
+    time_t authenticateTTL;
+    time_t authenticateIpTTL;
     struct {
 	int single_host;
 	char *host;
@@ -422,6 +422,7 @@ struct _SquidConfig {
 	int digest_generation;
 #endif
 	int log_ip_on_direct;
+	int authenticateIpTTLStrict;
     } onoff;
     acl *aclList;
     struct {