Re: [squid-users] acl ident_regex from Henrik Nordstrom on 2003-07-25 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 25 Jul 2003 22:05:03 +0200

On Friday 25 July 2003 21.11, Chris Wilcox wrote:
> Thanks for all the replies folks,
>
> I'm sure that when I used identd on my clients at work ages ago,
> squid logged hostname and username in it's logs

Maybe you had log_fqdn enabled?

Squid CAN lookup the host name from the IP address using DNS, provided
your clients are registered in DNS.

The other alternative is if you were using ident, and the ident server
used returns both hostname and login as user identity (for examle
hostname\login)

Many Windows ident servers allows you to freely set the ident to be
returned.

> For our project to work, we need a way of transparently being able
> to control access by client hostname aswell as username.

And for this, all you need is to decide on how Squid should be told
what host name it is. There you have four choices which I know of:

1. DNS lookup
2. Local table of IP addresses
3. IDENT where the ident server used on each client returns the host
name as part of the user identity.
4. WINS lookup via DNS->WINS gateway

> A vast majority of our target networks will be
> using dynamic DHCP, so it is likely that client computers will not
> have the same IP address on each connection to the cache so it
> isn't an option to control access by IP.

But DNS may still be an option. It the network already employs dynamic
DNS updates then DNS will work fine out of the box. Dynamic DNS is
supported by many DHCP networks today.

Another DNS option is if the DNS setup used in the network has WINS
capability such as via the Microsoft DNS server or via another
DNS->WINS gateway then host names of Windows network stations is also
available via DNS.

> Also, using MAC address
> is way too much of a hassle for the proposed end-uers of our system
> to contemplate.

And also not more secure, and only works in a single network segment
(there cannot be any routers, including proxy-arp routers, dialups or
whatever not directly connected to the same segment as the proxy).

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com

Received on Fri Jul 25 2003 - 14:05:22 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:18:17 MST