Re: [squid-users] ident and intercept

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 12 Jul 2014 21:39:12 +1200

On 12/07/2014 8:15 p.m., James Harper wrote:
>>
>> On 12/07/2014 5:21 p.m., James Harper wrote:
>>> The docs says that ident doesn't work with intercept proxying, and it
>>> doesn't, but I think it wouldn't be too hard to make it work. In fact
>>> maybe as simple as setting COMM_TRANSPARENT on the ident socket.
>>
>> COMM_TRANSPARENT is a Squid inernal flag telling Squid to use TPROXY
>> binding on the outgoing connection. If you use this you will be sending
>> IDENT requests to the original destination *server*, using the from-IP
>> as the one you were trying to contact.
>
> Setting COMM_TRANSPARENT actually does work (but maybe unwanted side effects?). I've just tested it. The ident connection appears to come from the destination server so the client handles them correctly and the correct username is logged for intercepted connections.
>
> But you're saying I should find another way of setting IP_TRANSPARENT on the ident socket?
>

Which OS are you using?
 what are your http_port settings?
 and what Comm::Connection IP address details are being passed to comm
to setup the IDENT connection?

>> The problem is that the TCP source-port details are used by IDENT
>> protocol. Source-NAT operations in the network before reaching Squid can
>> remove/obscure them completely.
>>
>
> Ah. Squid is actually running on my gateway so there is no NAT before it reaches squid (and from memory, there is a way of redirecting packets over a GRE tunnel or something to preserve that info... was it WCCP?)
>

It's not that the information is preserved by the routing technique. It
is that the SNAT operation removes it completely, and some kernel lookup
APIs only present the IP alone. A "works for you+me but nobody else"
type scenario.

>>> Does that sound plausible? What I've found is that not only doesn't
>>> ident not work on an intercepted connection, the connection just
>>> hangs forever (or at least for the 10 minutes that I waited) if any
>>> acl's are encountered that would require an ident lookup.
>>
>> The hang is a separate bug which has now been resolved:
>> http://bugs.squid-cache.org/show_bug.cgi?id=4080
>>
>
> Excellent. Applying now.
>
> Thanks
>
> James
>
Received on Sat Jul 12 2014 - 09:39:26 MDT

This archive was generated by hypermail 2.2.0 : Sat Jul 12 2014 - 12:00:05 MDT