SQUID - AUP Redirect

[ahuxham]

Hi Guys,

Wondering if anyone could lend a hand with something, as my coding foo is not strong.

I'm trying (if possible) to implement a simple redirect for AUP within squid, so users have to accept a policy.

A user would request for example google.com, squid would than check its redirect program and issue a 302 redirect to a locally hosted webpage containing the schools "Internet AUP" wherein they are able to accept, a cookie is set, and they than proceed to the page they requested.

Now obviously, there are a few problems.

1) Redirect script would need to catch the url requested from squid, and redirect at the end
2) Redirect script would need to check if a 12hour cookie has been set thus the user has previously accepted the AUP
3) Redirect script would need to be able to catch all URLS, er say *.*?

Without catching the initial url, there isnt much point as the redirect page would jusst halt the process if a cookie is set.

Does anyone think this can be done?

I found this on squid-cache.org (PHP)

url_rewrite_program /etc/squid/redirect.php

PHP Code:

<?php

$temp = array();

while ( $input = fgets(STDIN) ) {
  // Split the output (space delimited) from squid into an array.
  $temp = split(' ', $input);

  // Set the URL from squid to a temporary holder.
  $output = $temp[0] . "\n";

  // Check the URL and rewrite it if it matches limewire.com
  if ( strpos($temp[0], "limewire.com") ) {
    $output = "302:http://www.google.com/\n";
  }
  echo $output;
}

[matt40k]

Could do a simple NTLM authenication. The have the page change the user membership. Could be nicer I think. However not sure how easy that would be not mucking around with squid anymore... or ldap for that matter.

[ahuxham]

Could do a simple NTLM authenication. The have the page change the user membership. Could be nicer I think. However not sure how easy that would be not mucking around with squid anymore... or ldap for that matter.

We do NTLM authentication at present, however we don't implement any group/user membership actions.

NTLM >(yes accepted)> change to general trusted> wbinfo_group.pl > allow etc?

[matt40k]

Yes you can do what you want to do. Exact instructions I can't help with. Unless you want to pay

Sorry I can't help much more. If I was still working in a school I would help a lot more as I'll be doing it too

Might be worth posting something on the Dansguardian forum. Sounds like there kind of thing

Really good idea by the way. I've only heard of people putting AUP on login.

[ahuxham]

So at the moment I'm scrapping together the functions or aspects of it all in block pieces. I think the cookie part is done, and the setting of the cookie.

aup.php (squid redirect)

PHP Code:

<?
// DURATION FUNCTION FOR COOKIE, 12HOURS
    $duration = time()+(60*60*12);

// CHECK COOKIE, HAS USER PREVIOUSLY ACCEPTED AUP?
    if (!$aup_accepted)
    {
        $accepted = $_POST[accepted];        
    }
    else
    {
        $accepted = $aup_accepted;            
    } // NEED TO ADD IF ACCEPT REDIRECT, IF NOT DISPLAY AUP+FORM
    
    
// SET COOKIE FOR AUP DETECTED, WITH DURATION OF 12HOURS.    
    if ($_POST[accepted] == "Yes")
        {
            setcookie("aup_accepted", $duration);                
        }
        
// REDIRECT
    header("Location:]");
?>

Which is that function, and the form is simply:

Code:

<div align="center">Do you accept this Acceptable Usage Policy?</div>
<FORM METHOD="POST" ACTION="aup.php">
<input type="submit" name="accepted" value="Yes">
<input type="submit" value="No" <!-- need to add a function here to do null, or JS to close browser? -->>
</FORM>

I'm not that great at PHP, I do have my PHP for dummies book on my desk, I think, somehow I'll cobble it all together, contribution most welcome ;]

[matt40k]

It'll mean the have to except it daily

Also Cookies would be client side so it's rather insecure.

[ahuxham]

It'll mean the have to except it daily

Also Cookies would be client side so it's rather insecure.

Thats the plan, every day they accept the AUP and abide by it.

Care to explain how client side would be insecure? I don't really understand the statement (I'm not foo-literate regards php/cookies/security)

[Geoff]

Wrong tool for the job don't you think? You should be using some captive portal software.

Sweetspot: Layer 3 network access controller

[ahuxham]

Wrong tool for the job don't you think? You should be using some captive portal software.

Sweetspot: Layer 3 network access controller

Seems highly complicated, and my knowledge of packet capturing, redirection, and the likes is limited. I'd have no idea how to get it all working.

Do requests go Squid (ntlm)> DG > Squid(cache) > Captive Portal, or does the CP come in first, last and the likes =(

[Geoff]

CP -> Squid(NTLM) -> DG -> Squid(cache) -> Internet.