Rick, Well, do I need to clarify my request for clarification.
Rest assured my squidGuard setup is complete and working fine using transparency mode. I must admit to a very course snipping of my config file, thus causing some questions about the fundamental setup. But I have quite a few destinations declarations in there. I use iptables to redirect all outgoing trafic for port 80 to internal port 3128. Nothing wrong sofar. My confusion comes from the fact that, when using identd on my NT boxes, I see in my squid logging references to a correct untranslated source Ip address (NAT only occurs on the way out over my ppp interface) with a correct user name. This seems to contradict your statement about translated addresses. But squidGuard seems to be ignoring the ident information altogether. Thus user jan as part of the admin source does not work and I get blocked where I expected not to be. So the logging is as follows while I am on 192.168.0.196 as user jan: squid: 192.168.0.196 TCP_MISS/403 2509 GET http://www.girls.nl/ jan DIRECT/192.168.0.99 text/htm squidGuard: 2002-05-13 14:36:58 [11644] Request(default/mydest/-) http://www.girls.nl/ 192.168.0.196/- - GET And my config: logdir /usr/local/squidGuard/log dbhome /usr/local/squidGuard/db src admin { user jan } dest exceptions { domainlist localdb/exceptions log /usr/local/squidGuard/log/squidGuard.log } dest mydest { domainlist localdb/domains log /usr/local/squidGuard/log/squidGuard.log } ... some more destinations ... acl { admin { pass all } default { pass exceptions !mydest !porn !adult !violence !aggressive !ads !gambling all redirect http://192.168.0.99/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clien tuser=%i&clientgroup=%s&url=%u&targetgroup=%t } } Hust for fun, my iptables redirection: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 So my confusion is: When I look at what squid logs I deduce the combination of transparent proxy and ident verification could work. But looking at what squidGuiard logs (and my browser) I see it doesn't. I felt I had to balance my braces and be a bit verbose . Hope this makes things a bit clearer. regards, Jan. ----- Original Message ----- From: "Rick Matthews" <[EMAIL PROTECTED]> To: "Jan Klaverstijn" <[EMAIL PROTECTED]> Cc: "Squidguard Mailing List" <[EMAIL PROTECTED]> Sent: Saturday, May 11, 2002 5:29 AM Subject: RE: Authentication question > > I think I need some clarification related to the "ident vs. tranparent > > proxy" dilemma > > With a transparent proxy you don't make any changes to the individual workstations. > (Which means that <Tools><Internet Options><Connections><LAN Settings><Proxy Server> > is blank.) Web requests leave your browser headed for port 80 on the remote computer, > just as normal. (That's the transparent part!) > > Before the request can leave your network, however, an ipchains or iptables rule does > net address translation and redirects the outgoing web request to the port on which > squid is listening. In this process squid (and squidGuard) do not see the true ip > address of the requestor, but instead the ip of the firewall box. The problem arises > when you are trying to control access using the ip addresses, because you aren't > seeing them. Ident is an *answer* to this problem. > > > My squidGuard.conf reads: > > > > src admin { > > user jan > > } > > acl { > > admin { > > pass all > > default ... > > } > > } > > Well, if it weren't for the '...' I'd ask you if this is really your config file. I > know you've modified it for posting, I just don't know how much. Do you have any > destination declarations? You are missing a '}' after your admin acl. > > > But squidGuard blocks nevertheless. > > Blocks what? You don't have any destination declarations? > > > This is a line from my logfile: > > > > TCP_MISS/403 2515 GET http://www.girls.com/ jan DIRECT/192.168.0.99 > > text/html > > That's your squid logfile. What is squidGuard telling you in its log file(s)? > > If you had destination groups I'd give you the same advice I gave earlier: > My suggestion there would be to give every destination group its own log file: > ------------- > dest porn { > domainlist porn/domains > urllist porn/urls > logfile porn.log > } > ------------- > (You will need to manually create each of these log files and correct set file > ownership and permissions.) Then bounce squid. > > You can look at these log files to find out why you are being blocked. It's very > helpful for debugging. > > I hope this helps! > > Rick Matthews > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Jan > > Klaverstijn > > Sent: Friday, May 10, 2002 3:32 PM > > To: Squidguard Mailing List > > Subject: Re: Authentication question > > > > > > I think I need some clarification related to the "ident vs. tranparent > > proxy" dilemma as mentioned in > > http://www.maynidea.com/squidguard/ident.html. I installed the identd > > program on my WinXP and Win2K machines (thanks Rick for the reference). When > > I simply add > > > > httpd_accel_host virtual > > > > to my squid.conf. > > My squidGuard.conf reads: > > > > src admin { > > user jan > > } > > acl { > > admin { > > pass all > > default ... > > } > > } > > > > I neatly get my identity "jan" plus the correct IP in the squid access > > logging. But squidGuard blocks nevertheless. Does this mean I just prooved > > the dilemma since squid knows who I am and where I come from, but passes > > something else to squidGuard? Or is there something else? This is a line > > from my logfile: > > > > TCP_MISS/403 2515 GET http://www.girls.com/ jan DIRECT/192.168.0.99 > > text/html > > > > Regards, > > Jan. > > > > > >
