Bug#499709: please get rid of hardcoded IP numbers in the squid.conf file

To: submit@bugs.debian.org
Subject: Bug#499709: please get rid of hardcoded IP numbers in the squid.conf file
From: Holger Levsen <holger@layer-acht.org>
Date: Sun, 21 Sep 2008 15:28:37 +0200
Message-id: <[🔎] 200809211528.37667.holger@layer-acht.org>
Reply-to: Holger Levsen <holger@layer-acht.org>, 499709@bugs.debian.org

package: debian-edu-config
severity: wishlist
version: 1.423

----------  Forwarded Message  ----------

Subject: Getting rid of hardcoded IP numbers in the squid.conf file?
Date: Tuesday 05 August 2008 17:48
From: Petter Reinholdtsen <pere@hungry.com>
To: debian-edu@lists.debian.org

At the moment, very few services in Skolelinux uses hardcoded IP
addresses.  Each and every one of these make it harder to change to
use a different IP subnet for the Skolelinux network.

The services I am aware of are

 - DNS (/etc/bind/debian-edu/*)
 - DHCP (LDAP)
 - Squid (/etc/squid/squid.conf)
 - CUPS (/etc/cups/cups.conf)
 - tcp-wrapper (/etc/hosts.{allow,deny})

I doubt we will be able to drop IP addresses from DHCP and DNS, but we
should try to get rid of them for the others.  This email is about
Squid.

At the moment, we specify the range of IP addresses allowed to talk to
the Squid server in squid.conf.  Recently I have become aware of the
support in squid for 'external' ACL providers.  We could easily write
such external ACL provider that look up the subnet in LDAP and grant
access based on the content in LDAP instead of hardcoding it in the
configuration file.  For this to work, we need to add subnet
information in LDAP.

I found <URL:http://devel.squid-cache.org/external_acl/> documenting
the original project to add support for external ACL providers.  It
got a reference to a script to authenticate users and IP addresses.
We could probably use it as a starting point.

Anyone know of any well defined specification for storing subnet
information in LDAP?  I know AD got a subnet schema, ref
<URL: http://www.grotan.com/ldap/microsoft.schema >.  Perhaps we could
use some ideas from there?

LDAP objects like this would work:

  dn: dn=10.0.2.0/23,cn=subnets,dc=skole,dc=skolelinux,dc=no
  objectClass: top
  objectclass: subnet
  cn=10.0.2.0/23

We could configure the external ACL provider to accept all subnets
registered in LDAP.  This would make it trivial to add access for more
subnets.

Happy hacking,
--
Petter Reinholdtsen

-------------------------------------------------------

Attachment: pgp7M8cTZLKDX.pgp
Description: PGP signature

Reply to:

Prev by Date: Bug#498793: Patch for the l10n upload of debian-edu-install
Next by Date: Bug#498793: Patch for the l10n upload of debian-edu-install
Previous by thread: debian-edu-install_0.674~svn53427_amd64.changes ACCEPTED
Next by thread: Invitation to Qt Developer Days in Munich or Redwood City
Index(es):
- Date
- Thread