Re: [squid-users] Re: ident authentication and follow_x_forwarded_for from Amos Jeffries on 2010-08-16 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 16 Aug 2010 23:46:19 +1200

Ricpelo wrote:
> Hi! I'm trying to set up the following configuration:
>
> Client => Squid A => DansGuardian => Squid B => Internet
>
> Squid A does Ident authentication, and then forwards the request to the
> DansGuardian with the following line in its /etc/squid/squid.conf:
>
> cache_peer 192.168.0.1 parent 8080 0 no-query no-digest default
> login=*:foobar
>
> where 192.168.0.1:8080 is the DansGuardian's IP address and port.
>
> Squid A correctly logs the Client's username in its
> /var/log/squid/access.log file, which it's great. However, DansGuardian
> doesn't log the username in /var/log/dansguardian/access.log.
>
> When I set up Ident authplugin in /etc/dansguardian/dansguardian.conf, then
> DansGuardian logs "proxy" username into their logs, instead of the correct
> user name. If I use another authplugin (proxy-basic, proxy-digest,
> proxy-ntlm or ip), DansGuardian simply doesn't logs any user name in their
> log files.
>
> Is there a way to get DansGuardian logs the right username in their logs, as
> Squid does? Is Squid giving the wrong username to DansGuardian? May I fix
> the Squid's configuration?
>
> Thank you very much in advance,
>
> Ricardo.

To receive usernames from Squid-A the correct DansGuardian the module is
probably that "proxy-basic" one. Most Squid still passes login=
credentials as Basic protocol auth headers. (Only the latest releases
allow Negotiate as well).

I think you will find the problem is that IDENT is not a full
authentication scheme. So the nickname does not get passed on as one in
the HTTP headers. Just logged and permitted in ACL tests.

Squid will sort of trust an external_acl_type helper to send back
usernames for passing out. So you can build a work-around helper which
takes the IDENT nickname as input parameter and returns "OK user=" and
the received IDENT nickname.

PS: your mailer seems to be slightly broken. It mailed the list many times.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.6
   Beta testers wanted for 3.2.0.1

Received on Mon Aug 16 2010 - 11:46:32 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 18 2010 - 12:00:02 MDT