[ILUG] time based acl's for squid.
Barry O'Donovan
mail at barryodonovan.com
Tue Aug 8 01:12:57 IST 2006
On Tuesday 08 August 2006 00:02, Owen O' Shaughnessy wrote:
> I'm looking for a way to implement pre-paid web browsing using squid
> as a transparent proxy with user authentication. Clients would buy
> pre-paid cards with pre-configured proxy usernames, each with a 1 hour
> credit etc.
> Anybody seen anything like this done with squid before??
This may interest you:
http://www.chillispot.org/
I looked at it many moons ago for a wireless AP (and it may only support
wireless). I also came across this recently but I haven't tried it and can't
recommend it:
http://sourceforge.net/projects/phpmyprepaid/
Some other things that might help you:
http://www.squid-cache.org/related-software.html (there's mention here of
using Radius authentication via Squid under Authenticators).
ftp://ftp.nmo.net/pub/radkill/radkill-latest.tar.gz
Take a look at the counter module as described in freeradius's radiusd.conf
(shown below).
I would think that the real problem you may have with using Squid is actually
kicking the user off once their time has expired.
- Barry
# counter module:
# This module takes an attribute (count-attribute).
# It also takes a key, and creates a counter for each unique
# key. The count is incremented when accounting packets are
# received by the server. The value of the increment depends
# on the attribute type.
# If the attribute is Acct-Session-Time or of an integer type we add
the
# value of the attribute. If it is anything else we increase the
# counter by one.
#
# The 'reset' parameter defines when the counters are all reset to
# zero. It can be hourly, daily, weekly, monthly or never.
#
# hourly: Reset on 00:00 of every hour
# daily: Reset on 00:00:00 every day
# weekly: Reset on 00:00:00 on sunday
# monthly: Reset on 00:00:00 of the first day of each month
#
# It can also be user defined. It should be of the form:
# num[hdwm] where:
# h: hours, d: days, w: weeks, m: months
# If the letter is ommited days will be assumed. In example:
# reset = 10h (reset every 10 hours)
# reset = 12 (reset every 12 days)
#
#
# The check-name attribute defines an attribute which will be
# registered by the counter module and can be used to set the
# maximum allowed value for the counter after which the user
# is rejected.
# Something like:
#
# DEFAULT Max-Daily-Session := 36000
# Fall-Through = 1
#
# You should add the counter module in the instantiate
# section so that it registers check-name before the files
# module reads the users file.
#
# If check-name is set and the user is to be rejected then we
# send back a Reply-Message and we log a Failure-Message in
# the radius.log
# If the count attribute is Acct-Session-Time then on each login
# we send back the remaining online time as a Session-Timeout
attribute
#
# The counter-name can also be used instead of using the check-name
# like below:
#
# DEFAULT Daily-Session-Time > 3600, Auth-Type = Reject
# Reply-Message = "You've used up more than one hour today"
#
# The allowed-servicetype attribute can be used to only take
# into account specific sessions. For example if a user first
# logs in through a login menu and then selects ppp there will
# be two sessions. One for Login-User and one for Framed-User
# service type. We only need to take into account the second one.
#
# The module should be added in the instantiate, authorize and
# accounting sections. Make sure that in the authorize
# section it comes after any module which sets the
# 'check-name' attribute.
#
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
- Barry
More information about the ILUG
mailing list