Re: [squid-users] Logging user names from Peter Wood on 2001-06-30 (squid-users)

From: Peter Wood <woodp@dont-contact.us>
Date: Sat, 30 Jun 2001 17:59:34 +1000

Hi all,

Henrik Nordstrom <hno@hem.passagen.se> on Fri, 29 Jun 2001 12:07:36 +0200 wrote:

> Peter Wood wrote:
> > Alas no. The users all had the same login details for both local NT login
> > and SINA but divergence in the passwords has occured since then.

> Am I correct in that you want the proxy to log the login information
> even if the proxy as such does not care about managing logins?

Correct. I'm interested in keeping track of students movements in case
they get into areas they shouldn't and maybe be better able to restrict their
access using quotas or such. They don't (yet) have accounts on the
Linux box although as we get more adventurous we might set up Apache and
give the kids the ability to publish their own stuff direct to the web server.
I'm probably looking for trouble there :-)

> This can theoretically be done by using log_mime_hdrs, and then
> postprocess the logs to extract the relevant HTTP header information,
> but be warned that this will log a lot of information, including
> passwords both for the parent proxy and many web sites... If this is too
> much then hacking the code to log the parent proxy user name is also
> possible.

I tried this (It does produce a lot of extra data!!) but although I can see
users logging into, say, Hotmail (I'm seeing "EmailAddress=username") I can't
see any logins to our parent cache... What would they look like?
Would they be in a plain text format or encrypted in some way?

> Another approach would be to make your proxy validate the login before
> forwarding the request. Writing a auth helper that validates the login
> to another proxy shouldn't be too hard. This way your proxy will know
> the username. In effect the users will be logging in to your proxy which
> uses the parent proxy to validate the password.

This sounds great but we're all school teachers in here and C isn't on the
curriculum :-)

> A third approach woul be to use some other method of identifying the
> users. For example ident.

I'm not familiar with ident but I'll look it up.

Thanks to all the replies we've been getting to this thread. We're slowly getting
an understanding of how this all fits together.

regards,

Peter.

Peter Wood
Learning Technologies Coordinator
Princes Hill Secondary College
North Carlton
Victoria
Australia
Received on Sat Jun 30 2001 - 01:59:39 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:53 MST