Re: [squid-users] ident authentication and follow_x_forwarded_for
Hi! I'm trying to set up the following configuration: Client = Squid A = DansGuardian = Squid B = Internet Squid A does Ident authentication, and then forwards the request to the DansGuardian with the following line in its /etc/squid/squid.conf: cache_peer 192.168.0.1 parent 8080 0 no-query no-digest default login=*:foobar where 192.168.0.1:8080 is the DansGuardian's IP address and port. Squid A correctly logs the Client's username in its /var/log/squid/access.log file, which it's great. However, DansGuardian doesn't log the username in /var/log/dansguardian/access.log. When I set up Ident authplugin in /etc/dansguardian/dansguardian.conf, then DansGuardian logs proxy username into their logs, instead of the correct user name. If I use another authplugin (proxy-basic, proxy-digest, proxy-ntlm or ip), DansGuardian simply doesn't logs any user name in their log files. Is there a way to get DansGuardian logs the right username in their logs, as Squid does? Is Squid giving the wrong username to DansGuardian? May I fix the Squid's configuration? Thank you very much in advance, Ricardo.
Re: [squid-users] ident authentication and follow_x_forwarded_for
tis 2010-05-11 klockan 16:35 -0500 skrev Ben Miller: Client -- Proxy:8080 (Dansguardian) -- 127.0.0.1:3128 (Squid running on Proxy) -- Edge firewall You can't do ident lookups in a proxy chain. This have to be done by the first proxy in the chain. This because to perform the ident lookup the original IP address and port numbers need to be known, but X-F-F header only records the IP address.. I'd suggest you use client - Squid(auth) - DG(filter) - Squid(cache) - Firewall. Regards Henrik
[squid-users] ident authentication and follow_x_forwarded_for
Greetings, I am configuring a Squid/Dansguardian web proxy/content filter. The flow of traffic looks like this: Client -- Proxy:8080 (Dansguardian) -- 127.0.0.1:3128 (Squid running on Proxy) -- Edge firewall The relevant portions of squid.conf follow: == acl localnet src 10.0.0.0/8 # Authentication ACLs # Allow ident lookups on internal clients #ident_lookup_access allow localnet ident_lookup_access allow localnet ident_lookup_access deny all # Allow clients with IDENT acl ident_auth ident REQUIRED # If they don't have ident login restrict access to authorized via ldap acl ldap_auth proxy_auth REQUIRED # Attempt ident, then LDAP/basic authentication. Note that Squid is only listening on 127.0.0.1:3128, so the following lines are to support acl_uses_indirect_client http_access allow ip_authenticated http_access allow ident_auth localnet http_access allow ldap_auth localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # OPTIONS FOR X-Forwarded-For # - # Allow Squid to see Dansguardian IP addresses follow_x_forwarded_for allow localhost follow_x_forwarded_for deny all # NETWORK OPTIONS # - # Listen only to Dansguardian http_port 127.0.0.1:3128 == I am attempting to configure Squid to authenticate with ident, but it seems that the 'follow_x_forwarded_for allow localhost' is not being honored by the ident authenticator. Is there any way to configure Squid to send the ident queries to the originating client? I have confirmed that follow_x_forwarded_for is functional for other things (logging of client IP addresses for example), and that ident queries are being responded to by the clients. Squid is simple never asking for ident and is skipping directly to LDAP/Basic authentication. Thanks in advance for any help you may provide, Ben Miller 6 X 9 = 42
Re: [squid-users] ident authentication and follow_x_forwarded_for
Ben Miller wrote: Greetings, I am configuring a Squid/Dansguardian web proxy/content filter. The flow of traffic looks like this: Client -- Proxy:8080 (Dansguardian) -- 127.0.0.1:3128 (Squid running on Proxy) -- Edge firewall The relevant portions of squid.conf follow: == acl localnet src 10.0.0.0/8 # Authentication ACLs # Allow ident lookups on internal clients #ident_lookup_access allow localnet ident_lookup_access allow localnet ident_lookup_access deny all # Allow clients with IDENT acl ident_auth ident REQUIRED # If they don't have ident login restrict access to authorized via ldap acl ldap_auth proxy_auth REQUIRED # Attempt ident, then LDAP/basic authentication. Note that Squid is only listening on 127.0.0.1:3128, so the following lines are to support acl_uses_indirect_client http_access allow ip_authenticated http_access allow ident_auth localnet http_access allow ldap_auth localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # OPTIONS FOR X-Forwarded-For # - # Allow Squid to see Dansguardian IP addresses follow_x_forwarded_for allow localhost follow_x_forwarded_for deny all # NETWORK OPTIONS # - # Listen only to Dansguardian http_port 127.0.0.1:3128 == I am attempting to configure Squid to authenticate with ident, but it seems that the 'follow_x_forwarded_for allow localhost' is not being honored by the ident authenticator. Is there any way to configure Squid to send the ident queries to the originating client? IDENT protocol kicks off as soon as the TCP connection is made. Well before the HTTP headers exist. Squid would need to be patched to do the IDENT lookup after header processing for XFF to be used in its ACLs. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.3