On Sun, 13 Nov 2011 12:35:13 +0100, Giovanni Rosini wrote:
> Pherhaps i wasn't clear.
> I know how sql queries work, i'm able to write down a select query,
> this is not the question.
> What i mean is that, looking at the actual access.log file, it seems
> squid hasn't enough details to filter RADACCT table and extract the
> right record.
The logged details are not the complete set of data available to Squid.
It is a small subset which has been found to be useful for logging, and
log analyser graphs for management people.
What I am talking about has been the external_acl_type helper. Which
currently has an almost completely different set of format parameters:
http://www.squid-cache.org/Doc/config/external_acl_type/
> I think that the only way is having somewhere in squid files both nat
> ip and local ip, as in RADACCT records.
> For the duration of each session nat ip+local ip are associated
> uniquely to one username.
> Comparing date and time i could extract a unique record.
External ACL have:
* %SRC %SRCPORT for client IP:port (before the local squid box SNAT,
if any. After remote box SNAT).
* %MYADDR %MYPORT for squid local IP:port (before local Squid box
DNAT, if any. After remote box DNAT).
** With iptables REDIRECT %MYADDR is unreliable.
* time 'now' can be identified by the helper without being passed in
from Squid.
If you bump up to 3.2.0.8 you can also get the MAC / EUI addresses for
more reliable source tracing. But in your case with remote boxes doing
relays this will only link which of those boxes it came through (subnet
separation?).
Amos
>
> Giovanni
>
> p.s.: i hope i responded to the right address this time, and thanks
> for previous answers
>
>
> Il 13/11/2011 4.33, Amos Jeffries ha scritto:
>> On 13/11/2011 2:55 p.m., Giovanni Rosini wrote:
>>> I'm not sure to understand.
>>> How can the external script find the rigth username?
>>> In radius db i have the RADCHECK table containing all user
>>> registered, and RADACCT table where you find a record for every
>>> session.
>>
>> Take that above sentence, replace "where you find" with "where
>> script finds".
>>
>>> Each record in RADACCT shows a lot of data (username, nat ip, local
>>> ip, time of start and end of each session, etc.) but how squid can
>>> match a page request with database entries to retrieve username?
>>
>> By looking up the details Squid has and finding the matching record.
>> Please find a beginners tutorial on how database queries work. It
>> should cover how to find a database record by querying it with some
>> few of the field details. The db_auth script I mentioned earlier does
>> database queries. You adjust the script (either the code or teh
>> command parameters passed to is in squid.conf) to create a query for
>> the RADIUS database.
>>
>> Amos
>> PS. and please consider responding to the mailing list address. I
>> only do private answers for paid customers.
>>
Received on Sun Nov 13 2011 - 22:12:06 MST
This archive was generated by hypermail 2.2.0 : Mon Nov 14 2011 - 12:00:02 MST