"limit" support in authcache to bind sessions to ip

2025-02-23 02:25:40 +08:00 · 2019-08-21 15:20:43 +03:00 · 2019-08-21 15:20:43 +03:00 · e7e7d2fddf
commit e7e7d2fddf
parent 336b411ea2
5 changed files with 33 additions and 8 deletions
--- a/doc/html/howtoe.html
+++ b/doc/html/howtoe.html
@ -461,7 +461,12 @@ proxy -n
 </p>
 Please note, that caching affects security. Never use caching for access to
 critical resources, such as web administration.
-
+  <p>authcache can be used to bind user's sessions to ip with 'limit' option, with
+  <pre>
+  autchcache ip,user,pass,limit 120
+  auth cache strong</pre>
+  user will not be able to use more than a single IP during cache time (120 sec).
+  </p>
 		<li><A NAME="USERS">How to create user list</A>
 <p>
 Userslist is created with 'users' command.
--- a/doc/html/howtor.html
+++ b/doc/html/howtor.html
@ -469,6 +469,13 @@
  использовать кэширование для доступа к критичным ресурсам, в частности к
  интерфейсу администрирования.
  </p>
+  <p>authcache так же может использоваться для привязки сессий пользователя к ip с
+  с помощью опции limit
+  <pre>
+  autchcache ip,user,pass,limit 120
+  auth cache strong</pre>
+  запретит пользователю использовать более одного адреса в течении времени кеширования.
+  </p>
  <li><a name="USERS"><i>Как создать список пользователей</i></a>
  <p>
  Список пользователей задается с помощью команды users. 
--- a/man/3proxy.cfg.3
+++ b/man/3proxy.cfg.3
@ -519,6 +519,8 @@ assigned to the same user without actual authentication.
 user - same as above, but IP is not checked. 
 .br
 user,password - both username and password are checked against cached ones.
+.br
+ limit - limit user to use only one ip, \'ip\' and \'user\' are required
 .br
 Use auth type \'cache\' for cached authentication

--- a/src/auth.c
+++ b/src/auth.c
@ -721,15 +721,24 @@ int cacheauth(struct clientparam * param){
 			continue;
 			
 		}
-		if(((!(conf.authcachetype&2)) || (param->username && ac->username && !strcmp(ac->username, (char *)param->username))) &&
-		   ((!(conf.authcachetype&1)) || (*SAFAMILY(&ac->sa) ==  *SAFAMILY(&param->sincr) && !memcmp(SAADDR(&ac->sa), SAADDR(&param->sincr), SAADDRLEN(&ac->sa)))) && 
+		if((!(conf.authcachetype&2) || (param->username && ac->username && !strcmp(ac->username, (char *)param->username))) &&
 		   (!(conf.authcachetype&4) || (ac->password && param->password && !strcmp(ac->password, (char *)param->password)))) {
-			if(param->username){
-				myfree(param->username);
+
+			if(!(conf.authcachetype&1)
+				|| ((*SAFAMILY(&ac->sa) ==  *SAFAMILY(&param->sincr) 
+				   && !memcmp(SAADDR(&ac->sa), SAADDR(&param->sincr), SAADDRLEN(&ac->sa))))){
+
+				if(param->username){
+					myfree(param->username);
+				}
+				param->username = (unsigned char *)mystrdup(ac->username);
+				pthread_mutex_unlock(&hash_mutex);
+				return 0;
+			}
+			else if ((conf.authcachetype&1) && (conf.authcachetype&8)) {
+				pthread_mutex_unlock(&hash_mutex);
+				return 10;
 			}
-			param->username = (unsigned char *)mystrdup(ac->username);
-			pthread_mutex_unlock(&hash_mutex);
-			return 0;
 		}
 		last = ac;
 		ac = ac->next;
@ -790,6 +799,7 @@ int doauth(struct clientparam * param){
 			break;
 		}
 		if(res > ret) ret = res;
+		if(ret > 9) return ret;
 	}
 	if(!res){
 		return alwaysauth(param);
--- a/src/conf.c
+++ b/src/conf.c
@ -1338,6 +1338,7 @@ static int h_authcache(int argc, unsigned char **argv){
 	if(strstr((char *) *(argv + 1), "ip")) conf.authcachetype |= 1;
 	if(strstr((char *) *(argv + 1), "user")) conf.authcachetype |= 2;
 	if(strstr((char *) *(argv + 1), "pass")) conf.authcachetype |= 4;
+	if(strstr((char *) *(argv + 1), "limit")) conf.authcachetype |= 8;
 	if(argc > 2) conf.authcachetime = (unsigned) atoi((char *) *(argv + 2));
 	if(!conf.authcachetype) conf.authcachetype = 6;
 	if(!conf.authcachetime) conf.authcachetime = 600;