> Authentication - and that includes IDENT - do not mix with transparent > aka intercepting operation.
I retract my previous comments to the contrary, thank you for straightening that (and me!) out. Rick On Mon, 13 May 2002, "Robert Collins" wrote > > Authentication - and that includes IDENT - do not mix with transparent > aka intercepting operation. > > If squid is grabbing the username, count yourself lucky... > > I can't comment off-hand about the squidguard aspect of the > configuration. My 2c would be to ensure -very carefully- that squidguard > handles the username correctly, probably by running a couple of by-hand > requests. > > Rob > > > -----Original Message----- > > From: Jan Klaverstijn [mailto:[EMAIL PROTECTED]] > > Sent: Monday, May 13, 2002 11:13 PM > > To: Squidguard Mailing List > > Subject: Re: Authentication question > > > > > > Rick, > > > > Well, do I need to clarify my request for clarification. > > > > Rest assured my squidGuard setup is complete and working fine > > using transparency mode. I must admit to a very course > > snipping of my config file, thus causing some questions about > > the fundamental setup. But I have quite a few destinations > > declarations in there. > > > > I use iptables to redirect all outgoing trafic for port 80 to > > internal port 3128. Nothing wrong sofar. My confusion comes > > from the fact that, when using identd on my NT boxes, I see > > in my squid logging references to a correct untranslated > > source Ip address (NAT only occurs on the way out over my ppp > > interface) with a correct user name. This seems to contradict > > your statement about translated addresses. But squidGuard > > seems to be ignoring the ident information altogether. Thus > > user jan as part of the admin source does not work and I get > > blocked where I expected not to be. > > > > So the logging is as follows while I am on 192.168.0.196 as user jan: > > squid: > > 192.168.0.196 TCP_MISS/403 2509 GET http://www.girls.nl/ jan > > DIRECT/192.168.0.99 text/htm > > squidGuard: > > 2002-05-13 14:36:58 [11644] Request(default/mydest/-) > > http://www.girls.nl/ > > 192.168.0.196/- - GET > > > > And my config: > > logdir /usr/local/squidGuard/log > > dbhome /usr/local/squidGuard/db > > > > src admin { > > user jan > > } > > dest exceptions { > > domainlist localdb/exceptions > > log /usr/local/squidGuard/log/squidGuard.log > > } > > dest mydest { > > domainlist localdb/domains > > log /usr/local/squidGuard/log/squidGuard.log > > } > > ... some more destinations ... > > acl { > > admin { > > pass all > > } > > default { > > pass exceptions !mydest !porn !adult > > !violence !aggressive !ads !gambling all > > redirect > > http://192.168.0.99/cgi-bin/squidGuard.cgi?clientaddr=%a&clien > > tname=%n&clien > > tuser=%i&clientgroup=%s&url=%u&targetgroup=%t > > } > > } > > > > Hust for fun, my iptables redirection: > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j > > REDIRECT --to-port 3128 > > > > So my confusion is: When I look at what squid logs I deduce > > the combination of transparent proxy and ident verification > > could work. But looking at what squidGuiard logs (and my > > browser) I see it doesn't. > > > > I felt I had to balance my braces and be a bit verbose . Hope > > this makes things a bit clearer. > > > > regards, > > Jan. > > > > ----- Original Message ----- > > From: "Rick Matthews" <[EMAIL PROTECTED]> > > To: "Jan Klaverstijn" <[EMAIL PROTECTED]> > > Cc: "Squidguard Mailing List" <[EMAIL PROTECTED]> > > Sent: Saturday, May 11, 2002 5:29 AM > > Subject: RE: Authentication question > > > > > > > > I think I need some clarification related to the "ident vs. > > > > tranparent proxy" dilemma > > > > > > With a transparent proxy you don't make any changes to the > > individual > > workstations. > > > (Which means that <Tools><Internet Options><Connections><LAN > > Settings><Proxy Server> > > > is blank.) Web requests leave your browser headed for port 80 on the > > remote computer, > > > just as normal. (That's the transparent part!) > > > > > > Before the request can leave your network, however, an ipchains or > > iptables rule does > > > net address translation and redirects the outgoing web > > request to the > > > port > > on which > > > squid is listening. In this process squid (and squidGuard) > > do not see > > > the > > true ip > > > address of the requestor, but instead the ip of the > > firewall box. The > > problem arises > > > when you are trying to control access using the ip > > addresses, because > > > you > > aren't > > > seeing them. Ident is an *answer* to this problem. > > > > > > > My squidGuard.conf reads: > > > > > > > > src admin { > > > > user jan > > > > } > > > > acl { > > > > admin { > > > > pass all > > > > default ... > > > > } > > > > } > > > > > > Well, if it weren't for the '...' I'd ask you if this is really your > > config file. I > > > know you've modified it for posting, I just don't know how much. Do > > > you > > have any > > > destination declarations? You are missing a '}' after your > > admin acl. > > > > > > > But squidGuard blocks nevertheless. > > > > > > Blocks what? You don't have any destination declarations? > > > > > > > This is a line from my logfile: > > > > > > > > TCP_MISS/403 2515 GET http://www.girls.com/ jan > > DIRECT/192.168.0.99 > > > > text/html > > > > > > That's your squid logfile. What is squidGuard telling you in its log > > file(s)? > > > > > > If you had destination groups I'd give you the same advice I gave > > > earlier: My suggestion there would be to give every > > destination group > > > its own log > > file: > > > ------------- > > > dest porn { > > > domainlist porn/domains > > > urllist porn/urls > > > logfile porn.log > > > } > > > ------------- > > > (You will need to manually create each of these log files > > and correct > > > set > > file > > > ownership and permissions.) Then bounce squid. > > > > > > You can look at these log files to find out why you are > > being blocked. > > It's very > > > helpful for debugging. > > > > > > I hope this helps! > > > > > > Rick Matthews > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Jan > > > > Klaverstijn > > > > Sent: Friday, May 10, 2002 3:32 PM > > > > To: Squidguard Mailing List > > > > Subject: Re: Authentication question > > > > > > > > > > > > I think I need some clarification related to the "ident vs. > > > > tranparent proxy" dilemma as mentioned in > > > > http://www.maynidea.com/squidguard/ident.html. I installed the > > > > identd program on my WinXP and Win2K machines (thanks > > Rick for the > > > > reference). > > When > > > > I simply add > > > > > > > > httpd_accel_host virtual > > > > > > > > to my squid.conf. > > > > My squidGuard.conf reads: > > > > > > > > src admin { > > > > user jan > > > > } > > > > acl { > > > > admin { > > > > pass all > > > > default ... > > > > } > > > > } > > > > > > > > I neatly get my identity "jan" plus the correct IP in the squid > > > > access logging. But squidGuard blocks nevertheless. Does > > this mean I > > > > just > > prooved > > > > the dilemma since squid knows who I am and where I come from, but > > > > passes something else to squidGuard? Or is there something else? > > > > This is a line from my logfile: > > > > > > > > TCP_MISS/403 2515 GET http://www.girls.com/ jan > > DIRECT/192.168.0.99 > > > > text/html > > > > > > > > Regards, > > > > Jan. > > > > > > > > > > > > > > > > > > > >
