Joseph Wilk

Joseph Wilk

Things with code, creativity and computation.

Squid and Members


Use Squid to manage a cache for a website where there are member users (logged in to site) and public users. Squid must cache both member views of a page and public views.

Squid needs to check the authentication of the user and decided whether it should redirect them to a cache for members or for public users. There are only two discrete sets of users and any content that is specific to users if handled via AJAX.

  • Squid will be operating as a transparent proxy.

  • Usernames/Passwords are stored within a MSSQL database.

  • Squid is hosted on a unix box along with Apache


This project failed in its goal but why it failed was interesting! This initial solution came to a halt due to SQUID not providing the ability to filter return headers to clients browser. A application could have been written to do this, but this felt like the solution was becoming too complex with too many bottlenecks and dependencies

SQUID – Authentication methods

There are 3 different methods Squid provides for authentication:

  1. SAMBA – dealing with auth within a windows environment

  2. SNMP – Simple Network Management protocol

  3. Ident Protocol – Server Daemon on users computer

SAMBA – No windows authentication mechanism within architecture

SNMP – ?

Ident Protocol – Requires demon on users computer. Impossible with a open web system

Apache – Authentication through Proxy_Auth

Three techniques for receiving user credentials.

  1. HTTP Basic protocol – Considered insecure

  2. Digest authentication protocol –

  3. NTLM – proprietary protocol developed by Microsoft

So without a viable authentication method I decided to adopt a Kerbros like Authorisation Token. The cookie is created using AES.

The user has a secret key S known by themselves and the Web application.

WebAppToken = Es{ TTL , emailaddress }

The email address is finally attached to the WebAppToken giving.

The web application uses the email to identify the secret key of the user and tries to decrypt the token. The web application checks that the TTL has not expired.

Note this mechanism is susceptible to replay with the margin being that length to the TTL.

Squid’s ACL

An external ACL script was used to allow access to the redirector. Hence access to this redirector implies that the user had valid permissions to be a member.

external_acl_type type-name [options] format helper-command

Squid Redirectors.

  • Squirm

  • External Script

An external script was selected due to pressing time constraints. A simple python which changes URLS to be member urls. Any script running the redirector is assumed to be a member due to ACLs.




Apache has a mod-rewrite rule:

RewriteRule ^/file/(.*)$ /file.php?controller=$1 
RewriteRule ^/member/(.*)$ /file.php?controller=$1member=true


Squid Config

external_acl_type WebAppTokenCheck ttl=1 concurrency=10 %{Cookie} /home/esw/squid/acl/WebAppACL.php 
acl MemberCookieCheck external WebAppTokenCheck 
#Only allow redirection on those pages that pass security test 
redirector_access deny all 
redirector_access allow MemberCookieCheck 

redirect_program /home/esw/squid/redirectors/ 
redirect_children 5

Problems (sigh)

  • Client –> Squid request

  • Squid –> Apache

  • Apache –> Squid

  • Squid –> Client The response from Apache must have the headers indicating cache settings. This is used by squid to identify how long and if it should cache response.

These headers get returned to user client and there local browser detects the headers in the response and caches the file locally. Hence The client will not make another request to squid until the page is expired or a refresh is forced.

The client always needs to send its responses to squid as the state of the page is decided at squid (member/non-member).

It is possible to filter the response headers in Squid 3.0 via:


Squid 2.5 is the current deployment version of Squid. So unless there is an alternative way to alter response headers need to move to Plan B.