Hi Amos, Thanks for your reply. We already use basic auth to authenticate the user against the LDAP tree. The username is passed to the redirector via the ident parameter and this is how LDAP is queried from the redirector. I have turned on debugging options and the following is logged to the cache log:
2008/03/03 14:24:03| clientRedirectStart: 'http://www.news.com.au/' 2008/03/03 14:24:03| redirectStart: 'http://www.news.com.au/' and thats where the logging stops. The redirector logs that it got the input from stdin, logs the successful LDAP query, logs the output sent to stdout, then nothing. It appears that squid is not noticing that the output has been written to stdout from the redirector and it waiting. This is the output being written to stdout from the redirector: Mar 3 14:24:03 esl4 (tc_redirector)[3354]: Sent 'http://www.news.com.au/ xxx.xxx.xxx.xxx/- abc123 GET'. I'm using squid 2.6STABLE18 as squid 3 is not yet compatibile with Smartfilter. Thanks, Jonne. iDivision Security Team Brisbane City Council Ph: 07 3403 6918 Email: [EMAIL PROTECTED] Visit http://www.brisbane.qld.gov.au >>> Amos Jeffries <[EMAIL PROTECTED]> 3/03/2008 5:58:58 pm >>> Jonne Hannon wrote: > Hi, > > I'm currently upgrading Squid and Smartfilter to a supported combination of > squid 2.6STABLE18 + Smartfilter 4.2.1. Included in this mix is a redirection > program, written in c. The redirection program was written to intercept all > proxy requests and query LDAP to check if the user has accepted Internet > usage terms and conditions. If the user has not accepted or needs to > re-confirm acceptance, the browser is redirected to the terms and conditions > website. If the user has a valid acceptance record then they can continue on > the requested website. > > The redirector program reads from buffered stdout, queries LDAP and writes > back to stdout using fprintf. This worked in squid 2.5, but using squid 2.6, > the browser appears to timeout with no error reported back to the user. > There is no log entry in the access.log, but there is a log entry in > store.log that looks like the following: > > 1204259653.333 RELEASE -1 FFFFFFFF AF6C1D6C4B3CEF474FB849A84B6F9371 200 > 1204256053 1204256053 1204259653 application/cache-digest 817/817 GET > internal://xxx.xxx.xxx.xxx/squid-internal-periodic/store_digest > > It appears to me that squid 2.6 is not receiving the output back from the > redirector. Can you please advise how I can troubleshoot this further? > Are you sure this is done with a rediretor? How is it getting its user info to query LDAP? Redirectors receive a bare URI. You would probably be better off using basic auth (against LDAP) and a special deny_info for when it fails. To prevent popups there is a config trick: acl authUsers proxy_auth REQUIRED acl dummy_auth src all http_access allow authUsers dummy_auth deny_info http://.../conditions.html dummy_auth Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases. ********************************************************************** This message has passed through an insecure network. Please direct all enquiries to the message author. ********************************************************************** ********************************************************************** This message has passed through an insecure network. Please direct all enquiries to the message author. **********************************************************************
