Re: [squid-users] ident and intercept
On 12/07/2014 5:21 p.m., James Harper wrote: The docs says that ident doesn't work with intercept proxying, and it doesn't, but I think it wouldn't be too hard to make it work. In fact maybe as simple as setting COMM_TRANSPARENT on the ident socket. COMM_TRANSPARENT is a Squid inernal flag telling Squid to use TPROXY binding on the outgoing connection. If you use this you will be sending IDENT requests to the original destination *server*, using the from-IP as the one you were trying to contact. The problem is that the TCP source-port details are used by IDENT protocol. Source-NAT operations in the network before reaching Squid can remove/obscure them completely. Does that sound plausible? What I've found is that not only doesn't ident not work on an intercepted connection, the connection just hangs forever (or at least for the 10 minutes that I waited) if any acl's are encountered that would require an ident lookup. The hang is a separate bug which has now been resolved: http://bugs.squid-cache.org/show_bug.cgi?id=4080 Amos
RE: [squid-users] ident and intercept
On 12/07/2014 5:21 p.m., James Harper wrote: The docs says that ident doesn't work with intercept proxying, and it doesn't, but I think it wouldn't be too hard to make it work. In fact maybe as simple as setting COMM_TRANSPARENT on the ident socket. COMM_TRANSPARENT is a Squid inernal flag telling Squid to use TPROXY binding on the outgoing connection. If you use this you will be sending IDENT requests to the original destination *server*, using the from-IP as the one you were trying to contact. Setting COMM_TRANSPARENT actually does work (but maybe unwanted side effects?). I've just tested it. The ident connection appears to come from the destination server so the client handles them correctly and the correct username is logged for intercepted connections. But you're saying I should find another way of setting IP_TRANSPARENT on the ident socket? The problem is that the TCP source-port details are used by IDENT protocol. Source-NAT operations in the network before reaching Squid can remove/obscure them completely. Ah. Squid is actually running on my gateway so there is no NAT before it reaches squid (and from memory, there is a way of redirecting packets over a GRE tunnel or something to preserve that info... was it WCCP?) Does that sound plausible? What I've found is that not only doesn't ident not work on an intercepted connection, the connection just hangs forever (or at least for the 10 minutes that I waited) if any acl's are encountered that would require an ident lookup. The hang is a separate bug which has now been resolved: http://bugs.squid-cache.org/show_bug.cgi?id=4080 Excellent. Applying now. Thanks James
RE: [squid-users] ident and intercept
Does that sound plausible? What I've found is that not only doesn't ident not work on an intercepted connection, the connection just hangs forever (or at least for the 10 minutes that I waited) if any acl's are encountered that would require an ident lookup. The hang is a separate bug which has now been resolved: http://bugs.squid-cache.org/show_bug.cgi?id=4080 Btw, why the double \0 in result in that patch? (declared as \0) I can't see that it's necessary for it to have the additional \0, or indeed why it can't just be NULL as identCallback will just replace the string pointer with NULL anyway. James
Re: [squid-users] ident and intercept
On 12/07/2014 8:15 p.m., James Harper wrote: On 12/07/2014 5:21 p.m., James Harper wrote: The docs says that ident doesn't work with intercept proxying, and it doesn't, but I think it wouldn't be too hard to make it work. In fact maybe as simple as setting COMM_TRANSPARENT on the ident socket. COMM_TRANSPARENT is a Squid inernal flag telling Squid to use TPROXY binding on the outgoing connection. If you use this you will be sending IDENT requests to the original destination *server*, using the from-IP as the one you were trying to contact. Setting COMM_TRANSPARENT actually does work (but maybe unwanted side effects?). I've just tested it. The ident connection appears to come from the destination server so the client handles them correctly and the correct username is logged for intercepted connections. But you're saying I should find another way of setting IP_TRANSPARENT on the ident socket? Which OS are you using? what are your http_port settings? and what Comm::Connection IP address details are being passed to comm to setup the IDENT connection? The problem is that the TCP source-port details are used by IDENT protocol. Source-NAT operations in the network before reaching Squid can remove/obscure them completely. Ah. Squid is actually running on my gateway so there is no NAT before it reaches squid (and from memory, there is a way of redirecting packets over a GRE tunnel or something to preserve that info... was it WCCP?) It's not that the information is preserved by the routing technique. It is that the SNAT operation removes it completely, and some kernel lookup APIs only present the IP alone. A works for you+me but nobody else type scenario. Does that sound plausible? What I've found is that not only doesn't ident not work on an intercepted connection, the connection just hangs forever (or at least for the 10 minutes that I waited) if any acl's are encountered that would require an ident lookup. The hang is a separate bug which has now been resolved: http://bugs.squid-cache.org/show_bug.cgi?id=4080 Excellent. Applying now. Thanks James
