Re: [squid-users] squid + dansguardian + auth from Amos Jeffries on 2010-02-10 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 11 Feb 2010 11:00:44 +1300

On Wed, 10 Feb 2010 14:05:14 +0000 (WET), Bruno Ricardo Santos
<bvsantos_at_hal.min-saude.pt> wrote:
> X-Copyrighted-Material
>

Oh, lucky you did not add your "nobody is allowed to read this" disclaimer
as well. I can finally answer this request without getting myself into
trouble publicly... ;)

>
> Hi all!
>
> I'm having some trouble configuring squid with auth + dansguardian
content
> filter.
>
> It's all configured, but when i try to browse, i get an error:
>
> Dansguardian 400
> URL malformed
>
> Does authentication (and dansguardian filter) only works with
transparent
> proxy or do i have some configuration wrong ?

Auth does NOT work against transparent proxies.
Is your Squid doing "transparent" NAT interception or TPROXY?

>
> If i configure the browser to access directly to the squid port,
> everything works perfect...

Yes. Good. Auth works in regular proxy configuration.

>
> The problem, as i see it, is about the IP dansguardian passes to squid.
> After a request, dansguardian give squid the local machine IP.

Yes. IMHO the documented config with DG between the client and Squid is
not as good as DG between squid and the Internet.

Try reversing the order of the two, so that Squid is being contacted by
the visitors, and DG does its filtering before Squid stores the replies.

>
> If i change some options in dansguardian, as originalip, i get the error
> above !

Which is produced by some error in DG. Nothing to do with Squid.

>
> I've tried messing around with the following options:
>
> forwardedfor
>
> usexforwardedfor
>
> and in squid
>
> follow_x_forwarded_for
>
> but i had no luck....

Auth is not directly related to the connecting IP unless you have turned
on ACLs to limit the number of connections per IP. Doing so would block
most of your users going through DG.

>
> Any idea ?

Auth happens as a challenge reply to the requests which are not already
authenticated.

Whether they will work through DG depends on what type of authentication
you are doing.

Amos
Received on Wed Feb 10 2010 - 22:00:48 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 11 2010 - 12:00:04 MST