Revert "proxy: Remove AUTH_IPCACHE_TTL"

This reverts commit dc637f087f.

Rationale: "authenticate_ip_ttl" can be safely used as it does not
introduces an authentication bypass, but saves relationships between
successfully authenticated users and their IP addresses.

"max_user_ip" depends on such an authentication cache, so credential
sharing between several IPs (on purpose or by chance) can be detected
properly. This is useful in case of crompromised machines and/or
attackers in internal networks having stolen proxy authentication
credentials.

Quoted from squid.conf.documented or man 5 squid.conf:

>       acl aclname max_user_ip [-s] number
>         # This will be matched when the user attempts to log in from more
>         # than <number> different ip addresses. The authenticate_ip_ttl
>         # parameter controls the timeout on the ip entries. [fast]
>         # If -s is specified the limit is strict, denying browsing
>         # from any further IP addresses until the ttl has expired. Without
>         # -s Squid will just annoy the user by "randomly" denying requests.
>         # (the counter is reset each time the limit is reached and a
>         # request is denied)
>         # NOTE: in acceleration mode or where there is mesh of child proxies,
>         # clients may appear to come from multiple addresses if they are
>         # going through proxy farms, so a limit of 1 may cause user problems.

Fixes: #11994

Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

doc/language_issues.de

@@ -48,7 +48,6 @@ WARNING: translation string unused: admin user password has been changed
 WARNING: translation string unused: administrator user password
 WARNING: translation string unused: adsl settings
 WARNING: translation string unused: advproxy AUTH method ntlm
-WARNING: translation string unused: advproxy AUTH user IP cache TTL
 WARNING: translation string unused: advproxy LDAP auth
 WARNING: translation string unused: advproxy NTLM BDC hostname
 WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -73,8 +72,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
 WARNING: translation string unused: advproxy chgwebpwd new password confirm
 WARNING: translation string unused: advproxy chgwebpwd old password
 WARNING: translation string unused: advproxy chgwebpwd username
-WARNING: translation string unused: advproxy content based throttling
-WARNING: translation string unused: advproxy errmsg auth ipcache ttl
 WARNING: translation string unused: advproxy errmsg change fail
 WARNING: translation string unused: advproxy errmsg change success
 WARNING: translation string unused: advproxy errmsg invalid bdc

doc/language_issues.en

@@ -128,6 +128,7 @@ WARNING: untranslated string: advproxy AUTH method radius = RADIUS
 WARNING: untranslated string: advproxy AUTH no auth = Domains without authentication (one per line)
 WARNING: untranslated string: advproxy AUTH number of auth processes = Number of authentication processes
 WARNING: untranslated string: advproxy AUTH realm = Authentication realm prompt
+WARNING: untranslated string: advproxy AUTH user IP cache TTL = User/IP cache TTL (in minutes)
 WARNING: untranslated string: advproxy IDENT authorized users = Authorized users (one per line)
 WARNING: untranslated string: advproxy IDENT aware hosts = Ident aware hosts (one per line)
 WARNING: untranslated string: advproxy IDENT identd settings = Common identd settings
@@ -206,6 +207,7 @@ WARNING: untranslated string: advproxy errmsg acl cannot be empty = Access contr
 WARNING: untranslated string: advproxy errmsg auth cache ttl = Invalid value for authentication cache TTL
 WARNING: untranslated string: advproxy errmsg auth children = Invalid number of authentication processes
 WARNING: untranslated string: advproxy errmsg auth ipcache may not be null = Authentication cache TTL may not be 0 when using IP address limits
+WARNING: untranslated string: advproxy errmsg auth ipcache ttl = Invalid value for user/IP cache TTL
 WARNING: untranslated string: advproxy errmsg cache = The RAM cache size is greater than the harddisk cache size:
 WARNING: untranslated string: advproxy errmsg hdd cache size = Invalid value for harddisk cache size (min 10 MB required)
 WARNING: untranslated string: advproxy errmsg ident timeout = Invalid ident timeout

doc/language_issues.es

@@ -24,7 +24,6 @@ WARNING: translation string unused: add xtaccess
 WARNING: translation string unused: add-route
 WARNING: translation string unused: admin user password has been changed
 WARNING: translation string unused: administrator user password
-WARNING: translation string unused: advproxy AUTH user IP cache TTL
 WARNING: translation string unused: advproxy LDAP auth
 WARNING: translation string unused: advproxy NTLM BDC hostname
 WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -49,8 +48,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
 WARNING: translation string unused: advproxy chgwebpwd new password confirm
 WARNING: translation string unused: advproxy chgwebpwd old password
 WARNING: translation string unused: advproxy chgwebpwd username
-WARNING: translation string unused: advproxy content based throttling
-WARNING: translation string unused: advproxy errmsg auth ipcache ttl
 WARNING: translation string unused: advproxy errmsg change fail
 WARNING: translation string unused: advproxy errmsg change success
 WARNING: translation string unused: advproxy errmsg invalid bdc
@@ -900,7 +897,7 @@ WARNING: untranslated string: fireinfo please enable = Please enable the fireinf
 WARNING: untranslated string: fireinfo settings = Fireinfo settings
 WARNING: untranslated string: fireinfo system version = System versions
 WARNING: untranslated string: fireinfo why descr1 = It is very important for the development of IPFire that you enable this
-WARNING: untranslated string: fireinfo why descr2 = service. 
+WARNING: untranslated string: fireinfo why descr2 = service.
 WARNING: untranslated string: fireinfo why enable = Why should I enable fireinfo?
 WARNING: untranslated string: fireinfo why read more = Read more about the reasons.
 WARNING: untranslated string: fireinfo your profile id = Your profile ID
@@ -958,7 +955,7 @@ WARNING: untranslated string: fwdfw err tgt_port = Invalid destination port.
 WARNING: untranslated string: fwdfw err time = You have to select at least one day.
 WARNING: untranslated string: fwdfw external port nat = External port (NAT)
 WARNING: untranslated string: fwdfw hint ip1 = The last generated rule may never match, because source and destination subnets may overlap.
-WARNING: untranslated string: fwdfw hint ip2 = Please double-check if this rule makes sense: 
+WARNING: untranslated string: fwdfw hint ip2 = Please double-check if this rule makes sense:
 WARNING: untranslated string: fwdfw hint mac = The destination group contains MAC addresses, which will be skipped during rule creation.
 WARNING: untranslated string: fwdfw iface = Interface
 WARNING: untranslated string: fwdfw limitconcon = Limit concurrent connections per IP address

doc/language_issues.fr

@@ -52,7 +52,6 @@ WARNING: translation string unused: admin user password has been changed
 WARNING: translation string unused: administrator user password
 WARNING: translation string unused: adsl settings
 WARNING: translation string unused: advproxy AUTH method ntlm
-WARNING: translation string unused: advproxy AUTH user IP cache TTL
 WARNING: translation string unused: advproxy LDAP auth
 WARNING: translation string unused: advproxy NTLM BDC hostname
 WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -77,8 +76,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
 WARNING: translation string unused: advproxy chgwebpwd new password confirm
 WARNING: translation string unused: advproxy chgwebpwd old password
 WARNING: translation string unused: advproxy chgwebpwd username
-WARNING: translation string unused: advproxy content based throttling
-WARNING: translation string unused: advproxy errmsg auth ipcache ttl
 WARNING: translation string unused: advproxy errmsg change fail
 WARNING: translation string unused: advproxy errmsg change success
 WARNING: translation string unused: advproxy errmsg invalid bdc

doc/language_issues.it

@@ -26,7 +26,6 @@ WARNING: translation string unused: add-route
 WARNING: translation string unused: admin user password has been changed
 WARNING: translation string unused: administrator user password
 WARNING: translation string unused: advproxy AUTH method ntlm
-WARNING: translation string unused: advproxy AUTH user IP cache TTL
 WARNING: translation string unused: advproxy LDAP auth
 WARNING: translation string unused: advproxy NTLM BDC hostname
 WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -51,8 +50,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
 WARNING: translation string unused: advproxy chgwebpwd new password confirm
 WARNING: translation string unused: advproxy chgwebpwd old password
 WARNING: translation string unused: advproxy chgwebpwd username
-WARNING: translation string unused: advproxy content based throttling
-WARNING: translation string unused: advproxy errmsg auth ipcache ttl
 WARNING: translation string unused: advproxy errmsg change fail
 WARNING: translation string unused: advproxy errmsg change success
 WARNING: translation string unused: advproxy errmsg invalid bdc

doc/language_issues.nl

@@ -25,7 +25,6 @@ WARNING: translation string unused: add xtaccess
 WARNING: translation string unused: add-route
 WARNING: translation string unused: admin user password has been changed
 WARNING: translation string unused: administrator user password
-WARNING: translation string unused: advproxy AUTH user IP cache TTL
 WARNING: translation string unused: advproxy LDAP auth
 WARNING: translation string unused: advproxy NTLM BDC hostname
 WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -50,8 +49,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
 WARNING: translation string unused: advproxy chgwebpwd new password confirm
 WARNING: translation string unused: advproxy chgwebpwd old password
 WARNING: translation string unused: advproxy chgwebpwd username
-WARNING: translation string unused: advproxy content based throttling
-WARNING: translation string unused: advproxy errmsg auth ipcache ttl
 WARNING: translation string unused: advproxy errmsg change fail
 WARNING: translation string unused: advproxy errmsg change success
 WARNING: translation string unused: advproxy errmsg invalid bdc

doc/language_issues.pl

@@ -24,7 +24,6 @@ WARNING: translation string unused: add xtaccess
 WARNING: translation string unused: add-route
 WARNING: translation string unused: admin user password has been changed
 WARNING: translation string unused: administrator user password
-WARNING: translation string unused: advproxy AUTH user IP cache TTL
 WARNING: translation string unused: advproxy LDAP auth
 WARNING: translation string unused: advproxy NTLM BDC hostname
 WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -49,8 +48,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
 WARNING: translation string unused: advproxy chgwebpwd new password confirm
 WARNING: translation string unused: advproxy chgwebpwd old password
 WARNING: translation string unused: advproxy chgwebpwd username
-WARNING: translation string unused: advproxy content based throttling
-WARNING: translation string unused: advproxy errmsg auth ipcache ttl
 WARNING: translation string unused: advproxy errmsg change fail
 WARNING: translation string unused: advproxy errmsg change success
 WARNING: translation string unused: advproxy errmsg invalid bdc
@@ -900,7 +897,7 @@ WARNING: untranslated string: fireinfo please enable = Please enable the fireinf
 WARNING: untranslated string: fireinfo settings = Fireinfo settings
 WARNING: untranslated string: fireinfo system version = System versions
 WARNING: untranslated string: fireinfo why descr1 = It is very important for the development of IPFire that you enable this
-WARNING: untranslated string: fireinfo why descr2 = service. 
+WARNING: untranslated string: fireinfo why descr2 = service.
 WARNING: untranslated string: fireinfo why enable = Why should I enable fireinfo?
 WARNING: untranslated string: fireinfo why read more = Read more about the reasons.
 WARNING: untranslated string: fireinfo your profile id = Your profile ID
@@ -958,7 +955,7 @@ WARNING: untranslated string: fwdfw err tgt_port = Invalid destination port.
 WARNING: untranslated string: fwdfw err time = You have to select at least one day.
 WARNING: untranslated string: fwdfw external port nat = External port (NAT)
 WARNING: untranslated string: fwdfw hint ip1 = The last generated rule may never match, because source and destination subnets may overlap.
-WARNING: untranslated string: fwdfw hint ip2 = Please double-check if this rule makes sense: 
+WARNING: untranslated string: fwdfw hint ip2 = Please double-check if this rule makes sense:
 WARNING: untranslated string: fwdfw hint mac = The destination group contains MAC addresses, which will be skipped during rule creation.
 WARNING: untranslated string: fwdfw iface = Interface
 WARNING: untranslated string: fwdfw limitconcon = Limit concurrent connections per IP address

doc/language_issues.ru

@@ -25,7 +25,6 @@ WARNING: translation string unused: add xtaccess
 WARNING: translation string unused: add-route
 WARNING: translation string unused: admin user password has been changed
 WARNING: translation string unused: administrator user password
-WARNING: translation string unused: advproxy AUTH user IP cache TTL
 WARNING: translation string unused: advproxy LDAP auth
 WARNING: translation string unused: advproxy NTLM BDC hostname
 WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -50,8 +49,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
 WARNING: translation string unused: advproxy chgwebpwd new password confirm
 WARNING: translation string unused: advproxy chgwebpwd old password
 WARNING: translation string unused: advproxy chgwebpwd username
-WARNING: translation string unused: advproxy content based throttling
-WARNING: translation string unused: advproxy errmsg auth ipcache ttl
 WARNING: translation string unused: advproxy errmsg change fail
 WARNING: translation string unused: advproxy errmsg change success
 WARNING: translation string unused: advproxy errmsg invalid bdc
@@ -952,7 +949,7 @@ WARNING: untranslated string: fwdfw err tgt_port = Invalid destination port.
 WARNING: untranslated string: fwdfw err time = You have to select at least one day.
 WARNING: untranslated string: fwdfw external port nat = External port (NAT)
 WARNING: untranslated string: fwdfw hint ip1 = The last generated rule may never match, because source and destination subnets may overlap.
-WARNING: untranslated string: fwdfw hint ip2 = Please double-check if this rule makes sense: 
+WARNING: untranslated string: fwdfw hint ip2 = Please double-check if this rule makes sense:
 WARNING: untranslated string: fwdfw hint mac = The destination group contains MAC addresses, which will be skipped during rule creation.
 WARNING: untranslated string: fwdfw iface = Interface
 WARNING: untranslated string: fwdfw limitconcon = Limit concurrent connections per IP address

doc/language_issues.tr

@@ -48,7 +48,6 @@ WARNING: translation string unused: admin user password has been changed
 WARNING: translation string unused: administrator user password
 WARNING: translation string unused: adsl settings
 WARNING: translation string unused: advproxy AUTH method ntlm
-WARNING: translation string unused: advproxy AUTH user IP cache TTL
 WARNING: translation string unused: advproxy LDAP auth
 WARNING: translation string unused: advproxy NTLM BDC hostname
 WARNING: translation string unused: advproxy NTLM PDC hostname
@@ -73,8 +72,6 @@ WARNING: translation string unused: advproxy chgwebpwd new password
 WARNING: translation string unused: advproxy chgwebpwd new password confirm
 WARNING: translation string unused: advproxy chgwebpwd old password
 WARNING: translation string unused: advproxy chgwebpwd username
-WARNING: translation string unused: advproxy content based throttling
-WARNING: translation string unused: advproxy errmsg auth ipcache ttl
 WARNING: translation string unused: advproxy errmsg change fail
 WARNING: translation string unused: advproxy errmsg change success
 WARNING: translation string unused: advproxy errmsg invalid bdc