Article delegate-en/4018 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4016@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Testing the HTTP/HTTPS and FTP Delegate proxy
28 Jul 2008 12:56:15 GMT "Jean Aumont" <pvahqbdyi-5bnwhwhscmlr.ml@ml.delegate.org>


Hi Yutaka,

Thanks for your prompt response on Question 1.
It is exactly what I was looking for.

I wish you would had answer the second Question also.
You probably just missed it since my email was so long.
Here is the question again, can you take a look at it ???

---------------------------------------------------------------------
Question 2 - Ftp proxy
---------------------------------------------------------------------
# more ftp.cfg
SERVER="ftp"
REMITTABLE="ftp"
-P2021
# ============
# Section ftp
# ============
AUTHORIZER="-none:ftp:ftp.openbsd.org:10.*.*.*"
AUTHORIZER="-list{uid1:pwd1,uid2:pwd2}:ftp:ftp.sun.com:10.*.*.*"
AUTHORIZER="-list{uid3:pwd3}:ftp:ftp.freebsd.com:10.*.*.*"
AUTHORIZER="-list{uid1:pwd1}:ftp:*:10.*.*.*"


With this configuration, I could never login to the Delegate FTP proxy 
with the user id "uid2" or "uid3", the only user id allow is "uid1" with
password "pwd1". 
This seems to be a bug in version 9.8.2-pre47.


Also, is there a way to give access to a certain destination 
without any authentification on the FTP proxy. 

This is what I was trying to accomplish with the line: 
    AUTHORIZER="-none:ftp:ftp.openbsd.org:10.*.*.*"

But I do not see a way to initiate the connection to the FTP 
Proxy without being prompt for a user and password.

----------------------------------------------------------------------

Thanks in advance,

Jean Aumont


-----Original Message-----
From: Yutaka Sato [mailto:feedback@delegate.org] 
Sent: Friday, July 25, 2008 4:01 PM
To: feedback@delegate.org
Cc: Stéphane Anglaret; Jean Aumont
Subject: Re: [DeleGate-En] Testing the HTTP/HTTPS and FTP Delegate proxy

Hi,

In message <_A4015@delegate-en.ML_> on 07/26/08(03:02:35)
you "Jean Aumont" <pvahqbdyi-5bnwhwhscmlr.ml@ml.delegate.org> wrote:
 |---------------------------------------------------------------------
 |Question 1 - Http(s) proxy
 |---------------------------------------------------------------------
 |# more http.cfg 
 |SERVER="http"
 |REMITTABLE="http,https"
 |-P8080
 |# ============
 |# Section http
 |# ============
 |AUTHORIZER="-none:http:www.sea-doo.com*:10.*.*.*"
 |AUTHORIZER="-list{uid1:pwd1,uid2:pwd2}:http:www.google.com:10.*.*.*"
 |AUTHORIZER="-list{uid1:pwd1,uid3:pwd3}:http:www.yahoo.com:10.*.*.*"
 |AUTHORIZER="-list{uid1:pwd1}:http:*:10.*.*.*"
 |# =============
 |# Section https
 |# =============
 |AUTHORIZER="-list{uid1:pwd1,uid3:pwd3}:https:www.google.com:10.*.*.*"
 |AUTHORIZER="-list{uid1:pwd1,uid3:pwd3}:https:www.yahoo.com:10.*.*.*"
 |AUTHORIZER="-list{uid1:pwd1}:https:*:10.*.*.*"
 |# ===============
 |# Deny All Others
 |# ===============
 |AUTHORIZER="-never"
 |
 |>From my testing using the http(s) config, I discovered that the 
 |delegate proxy evaluates the rules as follow:
 |
 |1) look for the service (http or https)
 |2) then look for an address that match the requested ip or url
 |3) and if the user is allowed

Firstly, DeleGate selects one AUTHORIZER based on the set of destination
protocol, the destination server and the client of the current session.
Then the AUTHORIZER is applied to authenticate (and authorize) the user.

 |This is why I am force to repeat that "uid1:pwd1" on the line 
 |that give access to www.google.com and www.yahoo.com even if 
 |the line AUTHORIZER="-list{uid1:pwd1}:http:*:10.*.*.*"
 |should give acces to everywhere on the www to "uid1"
 |
 |Am I right about this ???

In such case, you can use AUTHORIZER just to authenticate users, and
authorize them using PERMIT parameters as follows:

  AUTHORIZER="-none:http:www.sea-*"
  AUTHORIZER="-list{u1:p1,u2:p2,u3:p3}:http,https:*"
  PEMRIT="http:www.sea-*:10.*"
  PERMIT="http,https:*:-a/u1@*"
  PERMIT="http,https:www.yahoo.com:-a/u2@*"
  PERMIT="http,https:www.google.com:-a/u3@*"


 |Thanks for the great effort of developing the "Delegate" proxy.

It's "DeleGate" :)

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V