Authentication - and that includes IDENT - do not mix with transparent aka intercepting operation.
If squid is grabbing the username, count yourself lucky... I can't comment off-hand about the squidguard aspect of the configuration. My 2c would be to ensure -very carefully- that squidguard handles the username correctly, probably by running a couple of by-hand requests. Rob > -----Original Message----- > From: Jan Klaverstijn [mailto:[EMAIL PROTECTED]] > Sent: Monday, May 13, 2002 11:13 PM > To: Squidguard Mailing List > Subject: Re: Authentication question > > > Rick, > > Well, do I need to clarify my request for clarification. > > Rest assured my squidGuard setup is complete and working fine > using transparency mode. I must admit to a very course > snipping of my config file, thus causing some questions about > the fundamental setup. But I have quite a few destinations > declarations in there. > > I use iptables to redirect all outgoing trafic for port 80 to > internal port 3128. Nothing wrong sofar. My confusion comes > from the fact that, when using identd on my NT boxes, I see > in my squid logging references to a correct untranslated > source Ip address (NAT only occurs on the way out over my ppp > interface) with a correct user name. This seems to contradict > your statement about translated addresses. But squidGuard > seems to be ignoring the ident information altogether. Thus > user jan as part of the admin source does not work and I get > blocked where I expected not to be. > > So the logging is as follows while I am on 192.168.0.196 as user jan: > squid: > 192.168.0.196 TCP_MISS/403 2509 GET http://www.girls.nl/ jan > DIRECT/192.168.0.99 text/htm > squidGuard: > 2002-05-13 14:36:58 [11644] Request(default/mydest/-) > http://www.girls.nl/ > 192.168.0.196/- - GET > > And my config: > logdir /usr/local/squidGuard/log > dbhome /usr/local/squidGuard/db > > src admin { > user jan > } > dest exceptions { > domainlist localdb/exceptions > log /usr/local/squidGuard/log/squidGuard.log > } > dest mydest { > domainlist localdb/domains > log /usr/local/squidGuard/log/squidGuard.log > } > ... some more destinations ... > acl { > admin { > pass all > } > default { > pass exceptions !mydest !porn !adult > !violence !aggressive !ads !gambling all > redirect > http://192.168.0.99/cgi-bin/squidGuard.cgi?clientaddr=%a&clien > tname=%n&clien > tuser=%i&clientgroup=%s&url=%u&targetgroup=%t > } > } > > Hust for fun, my iptables redirection: > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j > REDIRECT --to-port 3128 > > So my confusion is: When I look at what squid logs I deduce > the combination of transparent proxy and ident verification > could work. But looking at what squidGuiard logs (and my > browser) I see it doesn't. > > I felt I had to balance my braces and be a bit verbose . Hope > this makes things a bit clearer. > > regards, > Jan. > > ----- Original Message ----- > From: "Rick Matthews" <[EMAIL PROTECTED]> > To: "Jan Klaverstijn" <[EMAIL PROTECTED]> > Cc: "Squidguard Mailing List" <[EMAIL PROTECTED]> > Sent: Saturday, May 11, 2002 5:29 AM > Subject: RE: Authentication question > > > > > I think I need some clarification related to the "ident vs. > > > tranparent proxy" dilemma > > > > With a transparent proxy you don't make any changes to the > individual > workstations. > > (Which means that <Tools><Internet Options><Connections><LAN > Settings><Proxy Server> > > is blank.) Web requests leave your browser headed for port 80 on the > remote computer, > > just as normal. (That's the transparent part!) > > > > Before the request can leave your network, however, an ipchains or > iptables rule does > > net address translation and redirects the outgoing web > request to the > > port > on which > > squid is listening. In this process squid (and squidGuard) > do not see > > the > true ip > > address of the requestor, but instead the ip of the > firewall box. The > problem arises > > when you are trying to control access using the ip > addresses, because > > you > aren't > > seeing them. Ident is an *answer* to this problem. > > > > > My squidGuard.conf reads: > > > > > > src admin { > > > user jan > > > } > > > acl { > > > admin { > > > pass all > > > default ... > > > } > > > } > > > > Well, if it weren't for the '...' I'd ask you if this is really your > config file. I > > know you've modified it for posting, I just don't know how much. Do > > you > have any > > destination declarations? You are missing a '}' after your > admin acl. > > > > > But squidGuard blocks nevertheless. > > > > Blocks what? You don't have any destination declarations? > > > > > This is a line from my logfile: > > > > > > TCP_MISS/403 2515 GET http://www.girls.com/ jan > DIRECT/192.168.0.99 > > > text/html > > > > That's your squid logfile. What is squidGuard telling you in its log > file(s)? > > > > If you had destination groups I'd give you the same advice I gave > > earlier: My suggestion there would be to give every > destination group > > its own log > file: > > ------------- > > dest porn { > > domainlist porn/domains > > urllist porn/urls > > logfile porn.log > > } > > ------------- > > (You will need to manually create each of these log files > and correct > > set > file > > ownership and permissions.) Then bounce squid. > > > > You can look at these log files to find out why you are > being blocked. > It's very > > helpful for debugging. > > > > I hope this helps! > > > > Rick Matthews > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Jan > > > Klaverstijn > > > Sent: Friday, May 10, 2002 3:32 PM > > > To: Squidguard Mailing List > > > Subject: Re: Authentication question > > > > > > > > > I think I need some clarification related to the "ident vs. > > > tranparent proxy" dilemma as mentioned in > > > http://www.maynidea.com/squidguard/ident.html. I installed the > > > identd program on my WinXP and Win2K machines (thanks > Rick for the > > > reference). > When > > > I simply add > > > > > > httpd_accel_host virtual > > > > > > to my squid.conf. > > > My squidGuard.conf reads: > > > > > > src admin { > > > user jan > > > } > > > acl { > > > admin { > > > pass all > > > default ... > > > } > > > } > > > > > > I neatly get my identity "jan" plus the correct IP in the squid > > > access logging. But squidGuard blocks nevertheless. Does > this mean I > > > just > prooved > > > the dilemma since squid knows who I am and where I come from, but > > > passes something else to squidGuard? Or is there something else? > > > This is a line from my logfile: > > > > > > TCP_MISS/403 2515 GET http://www.girls.com/ jan > DIRECT/192.168.0.99 > > > text/html > > > > > > Regards, > > > Jan. > > > > > > > > > > > > >
