Re: [squid-users] ident authentication and follow_x_forwarded_for from Amos Jeffries on 2010-05-11 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 12 May 2010 15:39:44 +1200

Ben Miller wrote:
> Greetings,
>
> I am configuring a Squid/Dansguardian web proxy/content filter. The
> flow of traffic looks like this:
>
> Client --> Proxy:8080 (Dansguardian) --> 127.0.0.1:3128 (Squid running
> on Proxy) --> Edge firewall
>
> The relevant portions of squid.conf follow:
>
> ==================================================================================
> acl localnet src 10.0.0.0/8
>
> # Authentication ACLs
> # Allow ident lookups on internal clients
> #ident_lookup_access allow localnet
> ident_lookup_access allow localnet
> ident_lookup_access deny all
>
> # Allow clients with IDENT
> acl ident_auth ident REQUIRED
> # If they don't have ident login restrict access to authorized via ldap
> acl ldap_auth proxy_auth REQUIRED
>
> # Attempt ident, then LDAP/basic authentication. Note that Squid is
> only listening on 127.0.0.1:3128, so the following lines are to
> support acl_uses_indirect_client
> http_access allow ip_authenticated
> http_access allow ident_auth localnet
> http_access allow ldap_auth localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # OPTIONS FOR X-Forwarded-For
> # -----------------------------------------------------------------------------
>
> # Allow Squid to see Dansguardian IP addresses
> follow_x_forwarded_for allow localhost
> follow_x_forwarded_for deny all
>
> # NETWORK OPTIONS
> # -----------------------------------------------------------------------------
>
> # Listen only to Dansguardian
> http_port 127.0.0.1:3128
>
> ==================================================================================
>
>
> I am attempting to configure Squid to authenticate with ident, but it
> seems that the 'follow_x_forwarded_for allow localhost' is not being
> honored by the ident authenticator. Is there any way to configure
> Squid to send the ident queries to the originating client?

IDENT protocol kicks off as soon as the TCP connection is made. Well
before the HTTP headers exist.

Squid would need to be patched to do the IDENT lookup after header
processing for XFF to be used in its ACLs.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.3

Received on Wed May 12 2010 - 03:39:52 MDT

This archive was generated by hypermail 2.2.0 : Wed May 12 2010 - 12:00:05 MDT