[squid-users] Re: squid_kerb_auth and access.log issue

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Thu, 27 Aug 2009 20:54:15 +0100

Sorry I don't know what could be wrong. Can you see in the cache.log file
the squid_kerb_auth debug information about successful auth ? Your examples
below are all denies and you won't have a username if it gets denied because
of an invalid Kerberos token.

Markus

----- Original Message -----
From: "Wojciech Dudys" <wdudys_at_gmail.com>
To: "Markus Moeller" <huaraz_at_moeller.plus.com>
Sent: Thursday, August 27, 2009 8:16 PM
Subject: Re: [squid-users] Re: squid_kerb_auth and access.log issue

> My configuration is very simple. I just added those lines to the
> default squid.conf file
>
> auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -d
> auth_param negotiate children 10
> auth_param negotiate keep_alive on
>
> acl kerb_auth proxy_auth REQUIRED
> acl multi_ip max_user_ip 2
>
> http_access deny multi_ip
> http_access allow kerb_auth
> http_access deny all
>
> The only rule that apply to CONNECT is
> http_access deny CONNECT !SSL_ports
>
> Regards,
> Wojtek
>
> 2009/8/27 Markus Moeller <huaraz_at_moeller.plus.com>:
>> Is it possible that you allow CONNECT without authentication ? A
>> configuration error ?
>>
>> Markus
>
"Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
news:h76j5e$d6b$1_at_ger.gmane.org...
> Is it possible that you allow CONNECT without authentication ? A
> configuration error ?
>
> Markus
>
> ----- Original Message -----
> From: "Wojciech Dudys" <wdudys_at_gmail.com>
> To: "Markus Moeller" <huaraz_at_moeller.plus.com>
> Sent: Thursday, August 27, 2009 8:47 AM
> Subject: Re: [squid-users] Re: squid_kerb_auth and access.log issue
>
>
>> Auth is ok. I can get to https sites with no problem. There just is no
>> information about my login in the access.log
>> With http everything is ok.
>>
>> Wojtek
>>
>>
>> "Markus Moeller" <huaraz_at_moeller.plus.com> wrote in message
>> news:h746v9$s72$1_at_ger.gmane.org...
>>I am not sure, but squid_auth_kerb is a normal helper and doesn't do
>>anything with logging. If auth fails which means squid_kerb_auth can not
>>get the usename then squid evidently can not log it.
>>
>> Markus
>>
>>
>> "Wojciech Dudys" <wdudys_at_gmail.com> wrote in message
>> news:98f978a70908260801p33627ecdj30509566ad00d469_at_mail.gmail.com...
>> Hi,
>>
>> I have squid 3.0.18 configured to use squid_kerb_auth helper.
>>
>> When I make a proper HTTP request I see in the access.log:
>>
>> 1251290049.789 209 X.X.X.X TCP_MISS/200 486 POST
>> http://mail.google.com/mail/channel/bind? USER@REALM
>> DIRECT/74.125.39.17 text/plain
>>
>> Ident field is filled with USER_at_REALM. And this is great.
>>
>> but when I make HTTPS request I see:
>>
>> 1251289923.734 0 X.X.X.X TCP_DENIED/407 2233 CONNECT
>> www.google.com:443 - NONE/- text/html
>>
>> and there is NONE in the Ident field.
>>
>> The same situation is when I get TCP_DENIED
>>
>> 1251289928.638 0 X.X.X.X TCP_DENIED/407 3353 GET
>> http://mail.google.com/mail/? - NONE/- text/html
>>
>>
>> Is this a bug?
>>
>> Regards
>>
>>
>>
>
>
>
Received on Thu Aug 27 2009 - 20:00:33 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 28 2009 - 12:00:03 MDT