Proxying based on a regex (now with more questions)

Jacob Dawson dawson at vt.edu
Wed Aug 10 17:03:02 CEST 2011


So, according to the docs in proxy.conf and Arran's comment here, the regex stuff should work fine…but in 2.1.11, we're not seeing that behavior.  Right now, requests are only getting proxied properly if it's an exact match on the realm name ( realm "hokies" {  or realm "w2k.vt.edu" { ), whereas the regex realm syntax doesn't seem to be working at all ( realm "~hokies" { or realm "~.*w2k\\.vt\\.edu" { aren't matched).

The first example isn't a huge loss, but not being able to use regex match on suffix domains is a real problem.  Regex matching seemed to work in 2.1.9, 2.1.10, and earlier candidates for 2.1.11, so I'm not coming up with a good answer as to why this shouldn't be working now.  I can confirm that the Proxy-To-Realm attribute is being correctly set in the control list within the authorize stanza.  Am I misinterpreting the instructions, or is this unintended behavior? 

Thanks much,
Jacob M. Dawson


On 25 Jul 2011, at 16:37, Arran Cudbard-Bell wrote:

> Sorry only first one is fictitious, second one should work fine :)
> 
> -Arran
> 
> 
> On 25 Jul 2011, at 22:33, Arran Cudbard-Bell wrote:
> 
>> Impressive, you've both made up entirely fictitious syntaxes for doing proxying... Um anyway.
>> 
>> 
>> if(User-Name =~ /REGEX/){
>> 	update control {
>> 		Proxy-To-Realm := 'my_proxy_realm'
>> 	}
>> }
>> 
>> Then configure the realm in proxy.conf. Subcapture groups can provide you with parts of the User-Name string and can be accessed using the %{0}, %{1}, %{2}... etc variables
>> 
>> You don't need to do anything if you're just doing local authentication....
>> 
>> 
>> -Arran
>> 
>> On 25 Jul 2011, at 22:20, Sallee, Stephen (Jake) wrote:
>> 
>>> We did this through our realms see code:
>>> 
>>> In your proxy.conf
>>> 
>>> realm "~.*umhb\\.edu$" {
>>> #### some code here###
>>> ###usually the virtual server you want to proxy them to###
>>> }
>>> 
>>> If I am understanding your question right that should do it, but others may have a better way .. or I could be on crack ...
>>> 
>>> 
>>> -----Original Message-----
>>> From: freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org] On Behalf Of Charles Plater
>>> Sent: Monday, July 25, 2011 3:05 PM
>>> To: freeradius-users at lists.freeradius.org
>>> Subject: Proxying based on a regex
>>> 
>>> I'm trying to configure our FreeRadius (2.1.9) server to proxy based on the format of the ID. I have a working regex that determines the domain to which the request should be sent, but I'm having a hard time figuring out the syntax of the proxy statement. Here's what I've tried:
>>> 
>>> if (User-Name !~ <REGEX>) {
>>> 	proxy: domain.name
>>> else {
>>> 	proxy: LOCAL
>>> 	}
>>> }
>>> 
>>> FWIW, I can successfully authenticate do the "domain.name" realm by using userid at domain.name.
>>> 
>>> Can anyone offer any suggestions? Thanks in advance.
>>> -- 
>>> Charles Plater
>>> Lead Application Technical Analyst
>>> Internet Services
>>> +1-313-577-4620
>>> ab3189 at wayne.edu
>>> 
>>> 
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>> 
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>> 
>> 
>> Arran Cudbard-Bell
>> a.cudbardb at freeradius.org
>> 
>> RADIUS - Half the complexity of Diameter
>> 
>> 
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>> 
> 
> Arran Cudbard-Bell
> a.cudbardb at freeradius.org
> 
> RADIUS - Half the complexity of Diameter
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list