I'm using the following configuration (squid 2.5stable4, dansguardian 2.6.1, on redhat 9):
squid(1) -> dg -> squid(2) squid(1) just handles acls and uses dg as it's cache peer (cache peer ... login=*:password). dg provides content filtering and decodes basic auth usernames for it's log. squid(2) acts as a cache for dg. Squid(1) is passing the username for users that authenticate via basic auth, but not for users that get access through an ident acl. The ident username is showing up in squid(1)'s logs, but it's passing a null username in the auth header. For ident I'm using an external acl that passes the ident info to a program that checks to see if the username is in an LDAP group. I saw something in the squid.conf comments under external_acl_type that mentions a user= keyword, so I tried having my program return "OK user=foo" but I think that was just me heading in the wrong direction... I saw a patch at http://www.squid-cache.org/mail-archive/squid-dev/200201/0001.html that would help my situation (although it would require dg to parse the additional header), but it looks like it was denied (something about it not being as secure as the basic auth method). I'm not sure where src/http.c gets it's username from for HDR_PROXY_AUTHORIZATION (see line 885 -> 891) but maybe that's a starting point? I think I'm just missing something obvious here - like a way to inform squid that the ident username IS my username. - David
