To follow up, I think I know how to implement this (but lack the programming skills to make it so - any volunteers?). If you look at http.c lines 889 -> 893 it gets the username from auth_user_request. If this is null, the username is just returned as "-". BUT if you look at access_log.c lines 275 -> 280 it either uses authuser OR rfc931. I'd like to see this same behavior for cache_peer when using login=*:password so I can pass auth usernames OR ident usernames between proxies...
>>> "David Rippel" <RippelD@hillsboroughcounty.org> 10/21/03 11:03AM >>>
I'm using the following configuration (squid 2.5stable4, dansguardian 2.6.1, on redhat 9):
squid(1) -> dg -> squid(2)
squid(1) just handles acls and uses dg as it's cache peer (cache peer ... login=*:password).
dg provides content filtering and decodes basic auth usernames for it's log.
squid(2) acts as a cache for dg.
Squid(1) is passing the username for users that authenticate via basic auth, but not for users that get access through an ident acl. The ident username is showing up in squid(1)'s logs, but it's passing a null username in the auth header.
For ident I'm using an external acl that passes the ident info to a program that checks to see if the username is in an LDAP group. I saw something in the squid.conf comments under external_acl_type that mentions a user= keyword, so I tried having my program return "OK user=foo" but I think that was just me heading in the wrong direction... I saw a patch at http://www.squid-cache.org/mail-archive/squid-dev/200201/0001.html that would help my situation (although it would require dg to parse the additional header), but it looks like it was denied (something about it not being as secure as the basic auth method). I'm not sure where src/http.c gets it's username from for HDR_PROXY_AUTHORIZATION (see line 885 -> 891) but maybe that's a starting point?
I think I'm just missing something obvious here - like a way to inform squid that the ident username IS my username.
- David
Received on Tue Oct 21 2003 - 11:59:09 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:34 MST