Re: ident lookup problem -- BUG?

> Hello,
>
> We use an authenticating cache (squid 1.1 + 1.2beta25) but have some Lynx
> clients on a multiaccess UNIX box.
>
> To solve the problem of Lynx not working with an authenticating cache, I
> did the following:
>
> acl multiaccess_hosts src suma3
> acl multiaccess_users user REQUIRED
>
> ...
>
> http_access allow multiaccess_hosts multiaccess_users
>
> This works fine.
>
> However, we have been experiencing a problem with PC-NFS clients under
> Windows 3.1... they appear to have a buggy TCP/IP stack which doesn't
> report 'destination unreachable' when the server attempts to contact
> something on a port which is not being listened on.
>
> The result is the squid cache keeps send 'ident' lookups to the 'auth'
> port on the client machine but never receives an 'unreachable' so it
> never times out. The end result (from the user's point of view) is that
> they can't use the cache. :(

Same here :-). Windoze 95 and NT do it better.

>
> Can squid be modified to only do the ident lookups if required? i.e. it
> won't try to do an ident lookup on the above rule unless it first matches
> the 'multiaccess_hosts' acl.
>
> However, by commenting out the 'http_access' line, it still did an ident
> lookup! I don't have 'ident_lookups' set to 'on' (I just have it
> commented out... so it should default to 'off').
>
> To me, the problem looks mainly in the ball of PC-NFS... but we can't
> really solve that, so I was hoping to bounce it back and solve it at the
> squid end...?
>

My solution is the patch below. I split my allowed hosts in two parts:

Part one: Hosts which can (and should) answer ident lookups, these are
          workstations with an identd

Part two: Hosts without identd or broken TCP/IP stack (PC-NFS)

All acl's of hosts from part two have a name beginning with NIH_ (which
stands for NoIdentHost :-)).

So I have the following entries in my squid.conf:

#----- hosts that DON'T have identd -------------------

acl NIH_PIEZO_TLD src sinatra.piezo.tld
acl NIH_PIEZO_TLD src vivaldi.piezo.tld
acl NIH_PIEZO_TLD src whitney.piezo.tld

http_access allow NIH_PIEZO_TLD

#----- hosts that DO have identd -------------------

acl USR_PIEZO_TLD user franz gerd jo
acl WS_PIEZO_TLD src aladdin.ofw.tld
acl WS_PIEZO_TLD src betty.ofw.tld
acl WS_PIEZO_TLD src bunny.ofw.tld

http_access allow WS_PIEZO_TLD USR_PIEZO_TLD

The patch is for squid-1.1.22 but should be easily adoptable for squid-2...
It's working no for two years or so...

        -Andre

*** src/client_side.c.orig Fri Mar 6 19:33:10 1998
--- src/client_side.c Mon Mar 30 17:28:01 1998
***************
*** 147,152 ****
--- 147,177 ----
      const ipcache_addrs *ia = NULL;
  
      if (Config.identLookup && icpState->ident.state == IDENT_NONE) {
+ const struct _acl_access* aa = HTTPAccessList;
+ const struct _acl_ip_data* ip;
+
+ while (aa) {
+ if( strncmp( aa->acl_list->acl->name, "NIH_", 4 ) == 0 )
+ if( aa->acl_list->acl->type == ACL_SRC_IP ) {
+ ip = aa->acl_list->acl->data;
+ while( ip ) {
+ if( ip->addr1.s_addr == icpState->peer.sin_addr.s_addr ) {
+ *(icpState->ident.ident) = '-';
+ *(icpState->ident.ident + 1) = '\0';
+ icpState->ident.state = IDENT_DONE;
+ goto ipfound;
+ }
+ ip = ip->next;
+ }
+ }
+ aa = aa->next;
+ }
+ ipfound:
+ debug(33, 2, "IdentCancel: %s %d\n", inet_ntoa(icpState->peer.sin_addr), icpState->ident.state == IDENT_DONE );
+ }
+
+ if (Config.identLookup && icpState->ident.state == IDENT_NONE) {
+
          icpState->aclHandler = handler;
          identStart(-1, icpState, clientLookupIdentDone);
          return;
Received on Tue Oct 06 1998 - 23:07:34 MDT