Squid does not pass the username to Squidguard

Hello,

I have been setting up filtering based on usernames for my kids in squidguard and I think squid retrieves the username, but does not pass it to SG, which is weird !

I’ve been installing on Opensuse 11.1:

  • Squid Cache (Version 3.0.STABLE10)
  • squidGuard 1.3

SG testing with:
echo “http://www.not_allowed.there/ 192.168.1.110/ myfirstkid GET” | squidGuard -d -c /etc/squidguard.conf

This is working, giving the redirection I indicated in the squidguard.conf (whitelisting):
http://www.mydomain/cgi-bin/blocked?clientaddr=192.168.1.10&clientname=&clientuser=myfirstkid&clientgroup=kids&targetgroup=none&url=http://www.not_allowed.there/ 192.168.1.10/- myfirstkid GET

Then, I added the pident (or oident) on different clients and configured squid. I get an output containing the username in /var/log/squid/access.log, so, squid is retrieving it (even 2 times per page, as I can see from the identd log)

Still, squidguard uses the default acl and does not do any user specific filtering. I see on the blocked cgi page:

  • client address, name and group are there,
  • but no client username.

In squid, I’m only using rewrite for ident, no authentication. Can that be the source of the problem ? If anybody has an idea, I’m at the end on my side ! Thanks for your precious help

Here my squid configuration (rest is default):
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl idents ident REQUIRED
url_rewrite_program /usr/sbin/squidGuard -c /etc/squidguard.conf
url_rewrite_children 5
access_log /var/log/squid/access.log squid
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet idents
http_access deny all
icp_access deny all
htcp_access deny all
ident_lookup_access allow localnet
ident_lookup_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
cache_mem 256 MB
maximum_object_size_in_memory 8 MB
memory_replacement_policy lru
cache_replacement_policy lru
cache_dir ufs /var/cache/squid 2048 32 256
minimum_object_size 0 KB
maximum_object_size 32 MB
cache_swap_low 90
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
emulate_httpd_log off
log_fqdn on
ftp_passive on
refresh_pattern ^ftp: 1440 20 10080
refresh_pattern ^gopher: 1440 0 1440
refresh_pattern (cgi-bin|?) 0 0 0
refresh_pattern . 0 20 4320
connect_timeout 2 minutes
client_lifetime 1 days
ident_timeout 10 seconds
cache_mgr root
icp_port 3130
error_directory /usr/share/squid/errors/English
icap_send_client_username on
append_domain .mydomain
coredump_dir /var/cache/squid
cache_swap_high 95

You could replace that declaration of squidguard in squid.conf with a script that captures the stdin to a debug log file and then echoes the input back to stdout, to see what squid is sending squidguard. My guess is you have to look at your ACLs more closely, it may be taking a path where ident is not required. Squid ACLs are tricky.

Hi Ken,

Thanks for the hint. I actually tried that, using a "transparent redirector. What squid is sending looks like that:

http://forums.opensuse.org/images/smiliesnew/tongue.png 192.168.1.1/tac.mydomain - GET myip=192.168.1.1 myport=3128

So, there is really no username sent by squid to the redirector, even if ident is REQUIRED in the acl and username successfully logged by squid.

I have the feeling squid is actually calling the redirector and then calling the ident program.

For the ACL, the only thing I tried is to shutdown the ident process, and in this case, access is denied to any client. So, looks like the ACL path taken is through ident, only in the wrong order (for me) !

Thanks again, I will now try to log the time of redirector/ident call to confirm that and see if there is anything in squid doc about order of processing (ident against redirector calling)

My assumption was wrong. I used this python code in the homemade squid redirector:

l=stdin.readline()
time.sleep (3)
open(logfile,“a”).write(time.asctime()+": "+l)
stdout.write(l)

So, the redirector simply waits 3 seconds, then writes and send back what he got from squid
Here the generated message:

Sun Apr 26 22:51:09 2009: http://info.ost.eltele.no/images/eto.small.gif 192.168.1.1/tac.guigui - GET myip=192.168.1.1 myport=3128

Here the message generated by in.identd in the syslog (syslog-level = 7 in /etc/identd.conf) for this request:
Apr 26 22:51:06 tac in.identd[8435]: reply to 192.168.1.1: 41940, 3128 : : USERID : UNIX :myfirstkid

Which means that ident is called by squid before the redirector. So, squid knows the user name accessing the web, but does not pass it to the redirector (or squidguard). No idea why, I found nothing in the squid documentation.

Somebody having an idea ?

Looks like you hit a bug:

Re: [squid-users] Delivering ident to url_rewrite_program - Amos Jeffries - org.squid-cache.squid-users - MarkMail

Indeed I did :frowning:
It does not work in squid-3.0.STABLE14 but
works in squid 2.7.STABLE5

I will fill a bug report as suggested in the link you sent. I think it was never done.

Thanks,