Re: [squid-users] Transparent Proxy from Henrik Nordstrom on 2003-03-30 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 30 Mar 2003 17:49:43 +0200

pauloric wrote:
>
> Em Sex, 2003-03-28 às 19:07, Henrik Nordstrom escreveu:
> > pauloric wrote:
> >
> > > Is it possible to have all reports generated by SARG w/ user ID instead
> > > IP address??
> >
> > Only if you can make a scheme whereby the user ID can be found from the
> > IP address.
> >
> > > I've been reading about external_acl_type. Is it the rigth way?
> >
> > If you find the solution to the above problem then external_acl_type can
> > be used to have the username filled in by Squid.
>
> Sorry Henrik, I didn't say all about the specs. I'm using iptables +
> squid ( transparent proxy) + DHCP + SARG. Again it's all running
> smoothly.
>
> I've noticed that w/ sarg I can have a list w/ IPADRESS + USERID and all
> reports will be generated w/ user ID, but I would like to use another
> method preferably taking direct from access.log ( id user instead ip
> address)

And this is how I understood your question. external_acl_type helpers
can return the username to Squid, provided they can look up the username
somewhere.

If you already have solved the question "Who is using IP x.x.x.x right
now?" then writing an external_acl_type helper which returns this to
Squid is not hard. See squid.conf for a descripiton of the communication
between Squid and external acl helpers.

> I know that I can't have Trasparent proxy + authentication right, can I?

Right.

> Then I'm thinking about using Transparent proxy + external_acl and an
> external helper program ip_user_check ( from Rodrigo Campos). I've been
> writing a scripts to take UserIP + name from dhcp and it's ok

I don't exacly see the relationship with ip_user_check here...
ip_user_check fills another purpose (only give an authenticated user
access if he is using his correct IP address recorded on file).

A new helper needs to be written. If you have already written a script
to query your DHCP server then this can easily be extended into becoming
a external acl helper to Squid I think.

A example external acl helper for returning user name, given a separate
program or function lookup_user_from_ip which prints the current
username given a IP address:

#!/bin/sh
while read IP; do
   user="`lookup_user_from_ip $IP`"
   if [ -n "$user" ]; then
      echo "OK user=$user"
   else
      echo "ERR"
   fi
done

Regards
Henrik
Received on Sun Mar 30 2003 - 08:50:17 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:14:25 MST