On 12/07/2014 5:21 p.m., James Harper wrote:
> The docs says that ident doesn't work with intercept proxying, and it
> doesn't, but I think it wouldn't be too hard to make it work. In fact
> maybe as simple as setting COMM_TRANSPARENT on the ident socket.
COMM_TRANSPARENT is a Squid inernal flag telling Squid to use TPROXY
binding on the outgoing connection. If you use this you will be sending
IDENT requests to the original destination *server*, using the from-IP
as the one you were trying to contact.
The problem is that the TCP source-port details are used by IDENT
protocol. Source-NAT operations in the network before reaching Squid can
remove/obscure them completely.
>
> Does that sound plausible? What I've found is that not only doesn't
> ident not work on an intercepted connection, the connection just
> hangs forever (or at least for the 10 minutes that I waited) if any
> acl's are encountered that would require an ident lookup.
The hang is a separate bug which has now been resolved:
http://bugs.squid-cache.org/show_bug.cgi?id=4080
Amos
Received on Sat Jul 12 2014 - 08:05:45 MDT
This archive was generated by hypermail 2.2.0 : Sat Jul 12 2014 - 12:00:05 MDT