Re: [squid-users] Re: ident authentication and follow_x_forwarded_for from Ricardo Pérez on 2010-08-18 (squid-users)

From: Ricardo Pérez <ricpelo_at_gmail.com>
Date: Wed, 18 Aug 2010 12:27:51 +0200

2010/8/16 Amos Jeffries <squid3_at_treenet.co.nz>
>
> Ricpelo wrote:
>>
>> Hi! I'm trying to set up the following configuration:
>>
>> Client => Squid A => DansGuardian => Squid B => Internet
>>
>> Squid A does Ident authentication, and then forwards the request to the
>> DansGuardian with the following line in its /etc/squid/squid.conf:
>>
>> cache_peer 192.168.0.1 parent 8080 0 no-query no-digest default
>> login=*:foobar
>>
>> where 192.168.0.1:8080 is the DansGuardian's IP address and port.
>>
>> Squid A correctly logs the Client's username in its
>> /var/log/squid/access.log file, which it's great. However, DansGuardian
>> doesn't log the username in /var/log/dansguardian/access.log.
>>
>> When I set up Ident authplugin in /etc/dansguardian/dansguardian.conf, then
>> DansGuardian logs "proxy" username into their logs, instead of the correct
>> user name. If I use another authplugin (proxy-basic, proxy-digest,
>> proxy-ntlm or ip), DansGuardian simply doesn't logs any user name in their
>> log files.
>>
>> Is there a way to get DansGuardian logs the right username in their logs, as
>> Squid does? Is Squid giving the wrong username to DansGuardian? May I fix
>> the Squid's configuration?
>>
>> Thank you very much in advance,
>>
>> Ricardo.
>
>
> To receive usernames from Squid-A the correct DansGuardian the module is probably that "proxy-basic" one. Most Squid still passes login= credentials as Basic protocol auth headers. (Only the latest releases allow Negotiate as well).
>
> I think you will find the problem is that IDENT is not a full authentication scheme. So the nickname does not get passed on as one in the HTTP headers. Just logged and permitted in ACL tests.
>
> Squid will sort of trust an external_acl_type helper to send back usernames for passing out. So you can build a work-around helper which takes the IDENT nickname as input parameter and returns "OK user=" and the received IDENT nickname.

Thank you very much! Your solution worked like a charm :).

Cheers,

Ricardo.
Received on Wed Aug 18 2010 - 10:28:14 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 18 2010 - 12:00:03 MDT