On 12/07/2014 8:15 p.m., James Harper wrote: >> >> On 12/07/2014 5:21 p.m., James Harper wrote: >>> The docs says that ident doesn't work with intercept proxying, and it >>> doesn't, but I think it wouldn't be too hard to make it work. In fact >>> maybe as simple as setting COMM_TRANSPARENT on the ident socket. >> >> COMM_TRANSPARENT is a Squid inernal flag telling Squid to use TPROXY >> binding on the outgoing connection. If you use this you will be sending >> IDENT requests to the original destination *server*, using the from-IP >> as the one you were trying to contact. > > Setting COMM_TRANSPARENT actually does work (but maybe unwanted side > effects?). I've just tested it. The ident connection appears to come from the > destination server so the client handles them correctly and the correct > username is logged for intercepted connections. > > But you're saying I should find another way of setting IP_TRANSPARENT on the > ident socket? >
Which OS are you using? what are your http_port settings? and what Comm::Connection IP address details are being passed to comm to setup the IDENT connection? >> The problem is that the TCP source-port details are used by IDENT >> protocol. Source-NAT operations in the network before reaching Squid can >> remove/obscure them completely. >> > > Ah. Squid is actually running on my gateway so there is no NAT before it > reaches squid (and from memory, there is a way of redirecting packets over a > GRE tunnel or something to preserve that info... was it WCCP?) > It's not that the information is preserved by the routing technique. It is that the SNAT operation removes it completely, and some kernel lookup APIs only present the IP alone. A "works for you+me but nobody else" type scenario. >>> Does that sound plausible? What I've found is that not only doesn't >>> ident not work on an intercepted connection, the connection just >>> hangs forever (or at least for the 10 minutes that I waited) if any >>> acl's are encountered that would require an ident lookup. >> >> The hang is a separate bug which has now been resolved: >> http://bugs.squid-cache.org/show_bug.cgi?id=4080 >> > > Excellent. Applying now. > > Thanks > > James >
