[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#499709: marked as done (please get rid of hardcoded IP numbers in the squid.conf file)

Your message dated Wed, 4 Nov 2009 16:46:27 +0100
with message-id <200911041646.28026.holger@layer-acht.org>
and subject line fixed
has caused the Debian Bug report #499709,
regarding please get rid of hardcoded IP numbers in the squid.conf file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
499709: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499709
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
package: debian-edu-config
severity: wishlist
version: 1.423

----------  Forwarded Message  ----------

Subject: Getting rid of hardcoded IP numbers in the squid.conf file?
Date: Tuesday 05 August 2008 17:48
From: Petter Reinholdtsen <pere@hungry.com>
To: debian-edu@lists.debian.org

At the moment, very few services in Skolelinux uses hardcoded IP
addresses.  Each and every one of these make it harder to change to
use a different IP subnet for the Skolelinux network.

The services I am aware of are

 - DNS (/etc/bind/debian-edu/*)
 - DHCP (LDAP)
 - Squid (/etc/squid/squid.conf)
 - CUPS (/etc/cups/cups.conf)
 - tcp-wrapper (/etc/hosts.{allow,deny})

I doubt we will be able to drop IP addresses from DHCP and DNS, but we
should try to get rid of them for the others.  This email is about
Squid.

At the moment, we specify the range of IP addresses allowed to talk to
the Squid server in squid.conf.  Recently I have become aware of the
support in squid for 'external' ACL providers.  We could easily write
such external ACL provider that look up the subnet in LDAP and grant
access based on the content in LDAP instead of hardcoding it in the
configuration file.  For this to work, we need to add subnet
information in LDAP.

I found <URL:http://devel.squid-cache.org/external_acl/> documenting
the original project to add support for external ACL providers.  It
got a reference to a script to authenticate users and IP addresses.
We could probably use it as a starting point.

Anyone know of any well defined specification for storing subnet
information in LDAP?  I know AD got a subnet schema, ref
<URL: http://www.grotan.com/ldap/microsoft.schema >.  Perhaps we could
use some ideas from there?

LDAP objects like this would work:

  dn: dn=10.0.2.0/23,cn=subnets,dc=skole,dc=skolelinux,dc=no
  objectClass: top
  objectclass: subnet
  cn=10.0.2.0/23

We could configure the external ACL provider to accept all subnets
registered in LDAP.  This would make it trivial to add access for more
subnets.

Happy hacking,
--
Petter Reinholdtsen

-------------------------------------------------------

Attachment: pgpj5b_go5qjP.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
fixed 499709 1.428
thanks

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
Reply to: