Hello,
I have been setting up filtering based on usernames for my kids in squidguard and I think squid retrieves the username, but does not pass it to SG, which is weird !
I’ve been installing on Opensuse 11.1:
- Squid Cache (Version 3.0.STABLE10)
- squidGuard 1.3
SG testing with:
echo “http://www.not_allowed.there/ 192.168.1.110/ myfirstkid GET” | squidGuard -d -c /etc/squidguard.conf
This is working, giving the redirection I indicated in the squidguard.conf (whitelisting):
http://www.mydomain/cgi-bin/blocked?clientaddr=192.168.1.10&clientname=&clientuser=myfirstkid&clientgroup=kids&targetgroup=none&url=http://www.not_allowed.there/ 192.168.1.10/- myfirstkid GET
Then, I added the pident (or oident) on different clients and configured squid. I get an output containing the username in /var/log/squid/access.log, so, squid is retrieving it (even 2 times per page, as I can see from the identd log)
Still, squidguard uses the default acl and does not do any user specific filtering. I see on the blocked cgi page:
- client address, name and group are there,
- but no client username.
In squid, I’m only using rewrite for ident, no authentication. Can that be the source of the problem ? If anybody has an idea, I’m at the end on my side ! Thanks for your precious help
Here my squid configuration (rest is default):
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 192.168.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl idents ident REQUIRED
url_rewrite_program /usr/sbin/squidGuard -c /etc/squidguard.conf
url_rewrite_children 5
access_log /var/log/squid/access.log squid
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet idents
http_access deny all
icp_access deny all
htcp_access deny all
ident_lookup_access allow localnet
ident_lookup_access deny all
http_port 3128
hierarchy_stoplist cgi-bin ?
cache_mem 256 MB
maximum_object_size_in_memory 8 MB
memory_replacement_policy lru
cache_replacement_policy lru
cache_dir ufs /var/cache/squid 2048 32 256
minimum_object_size 0 KB
maximum_object_size 32 MB
cache_swap_low 90
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
emulate_httpd_log off
log_fqdn on
ftp_passive on
refresh_pattern ^ftp: 1440 20 10080
refresh_pattern ^gopher: 1440 0 1440
refresh_pattern (cgi-bin|?) 0 0 0
refresh_pattern . 0 20 4320
connect_timeout 2 minutes
client_lifetime 1 days
ident_timeout 10 seconds
cache_mgr root
icp_port 3130
error_directory /usr/share/squid/errors/English
icap_send_client_username on
append_domain .mydomain
coredump_dir /var/cache/squid
cache_swap_high 95