Re: [squid-users] Getting username into squid access.log

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 11 Sep 2004 12:24:48 +0200 (CEST)

On Sun, 5 Sep 2004, Joe Kraft wrote:

> I've read so much Squid documentation that my head is spinning now. I just
> want to clear up one point before I expend any more brain bytes.
>
> If I set up squid to work transparently, ala FAQ 17.1 does than mean that
> there is absolutely NO WAY I will ever be able to get squid to figure out who
> is logged in at the machine that made the request? And thus, no usernames in
> the access.log?

If your Squid is getting the HTTP requests by interception then there is
no way you can use authentication to get the username.

It is however possible to use out-of-band techniques to get the username,
for example if you can devise a method where Suqid can lookup the username
based on the client IP address then this can be plugged into Squid by
using an external acl.

> I just want to make sure that this is the behavior referenced in the
> discussions about proxy-auth. So I can control access by the IP address of
> the machine, but not by user. Squid is not allowed by the RFC to ask
> anything back to the requesting machine, because the requester is not
> expecting squid to be there in the middle. Is this correct so far?

Yes. Or to make it more to the point web browsers are not allowed to
respond to such authentication required requests as they have no way of
knowing who the proxy is, for all the browser knows it is talking to the
origin web server out on the Internet.

> So the least intrusive way to make this work, and to have the names to to not
> use squid in a transparent mode and use the automatic configuration script
> from FAQ 5.2?

Yes.

as most clients can autodetect the proxy configuration script with very
little effort in the network infrastructure this is not that big of a
problem. Just configure the WPAD attribute in your DHCP servers and DNS.

Regards
Henrik
Received on Sat Sep 11 2004 - 04:24:50 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT