Jan, Thanks for the additional information.
By now you've seen my response to Robert Collins' post; I defer to his expertise on transparent proxying. I can't explain why/how squid logs the correct ident information, but your squidGuard log entry confirms that the ident info is not being sent to squidGuard: > Request(default/mydest/-) http://www.girls.nl/ ^^^^^^^ - Processed under your default acl > 192.168.0.196/- - GET ^ ^ The ident info would be in one of those two At least you know *why* you are being blocked. ;-) Like you, I don't understand why squid *has* the ident information and yet doesn't send it to squidGuard. If it were me, I'd review the squid.conf file to see if there are any anonymizing features turned on, or headers turned off, or something. Here's another thought. On your workstation, go in and set up squid as your proxy (<Tools><Internet Options><Connections><LAN Settings>...) Those requests will be sent to port 3128, so your iptables redirect won't touch them. Try that and see what squidGuard is receiving (logging). If transparent (redirected) proxying is the problem, then this test should work fine, right? Rick On Mon, 13 May 2002, "Jan Klaverstijn" wrote > > Rick, > > Well, do I need to clarify my request for clarification. > > Rest assured my squidGuard setup is complete and working fine using > transparency mode. I must admit to a very course snipping of my config file, > thus causing some questions about the fundamental setup. But I have quite a > few destinations declarations in them. > > I use iptables to redirect all outgoing trafic for port 80 to internal port > 3128. Nothing wrong sofar. My confusion comes from the fact that, when using > identd on my NT boxes, I see in my squid logging references to a correct > untranslated source Ip address (NAT only occurs on the way out over my ppp > interface) with a correct user name. This seems to contradict your statement > about translated addresses. But squidGuard seems to be ignoring the ident > information altogether. Thus user jan as part of the admin source does not > work and I get blocked where I expected not to be. > > So the logging is as follows while I am on 192.168.0.196 as user jan: > squid: > 192.168.0.196 TCP_MISS/403 2509 GET http://www.girls.nl/ jan > DIRECT/192.168.0.99 text/htm > squidGuard: > 2002-05-13 14:36:58 [11644] Request(default/mydest/-) http://www.girls.nl/ > 192.168.0.196/- - GET > > And my config: > logdir /usr/local/squidGuard/log > dbhome /usr/local/squidGuard/db > > src admin { > user jan > } > dest exceptions { > domainlist localdb/exceptions > log /usr/local/squidGuard/log/squidGuard.log > } > dest mydest { > domainlist localdb/domains > log /usr/local/squidGuard/log/squidGuard.log > } > ... some more destinations ... > acl { > admin { > pass all > } > default { > pass exceptions !mydest !porn !adult !violence !aggressive > !ads !gambling all > redirect > http://192.168.0.99/cgi-bin/squidGuard.cgi?clientaddr=%a&clientname=%n&clien > tuser=%i&clientgroup=%s&url=%u&targetgroup=%t > } > } > > Hust for fun, my iptables redirection: > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j > REDIRECT --to-port 3128 > > So my confusion is: When I look at what squid logs I deduce the combination > of transparent proxy and ident verification could work. But looking at what > squidGuiard logs (and my browser) I see it doesn't. > > I felt I had to balance my braces and be a bit verbose . Hope this makes > things a bit clearer. > > regards, > Jan. > > ----- Original Message ----- > From: "Rick Matthews" <[EMAIL PROTECTED]> > To: "Jan Klaverstijn" <[EMAIL PROTECTED]> > Cc: "Squidguard Mailing List" <[EMAIL PROTECTED]> > Sent: Saturday, May 11, 2002 5:29 AM > Subject: RE: Authentication question > > > > > I think I need some clarification related to the "ident vs. tranparent > > > proxy" dilemma > > > > With a transparent proxy you don't make any changes to the individual > workstations. > > (Which means that <Tools><Internet Options><Connections><LAN > Settings><Proxy Server> > > is blank.) Web requests leave your browser headed for port 80 on the > remote computer, > > just as normal. (That's the transparent part!) > > > > Before the request can leave your network, however, an ipchains or > iptables rule does > > net address translation and redirects the outgoing web request to the port > on which > > squid is listening. In this process squid (and squidGuard) do not see the > true ip > > address of the requestor, but instead the ip of the firewall box. The > problem arises > > when you are trying to control access using the ip addresses, because you > aren't > > seeing them. Ident is an *answer* to this problem. > > > > > My squidGuard.conf reads: > > > > > > src admin { > > > user jan > > > } > > > acl { > > > admin { > > > pass all > > > default ... > > > } > > > } > > > > Well, if it weren't for the '...' I'd ask you if this is really your > config file. I > > know you've modified it for posting, I just don't know how much. Do you > have any > > destination declarations? You are missing a '}' after your admin acl. > > > > > But squidGuard blocks nevertheless. > > > > Blocks what? You don't have any destination declarations? > > > > > This is a line from my logfile: > > > > > > TCP_MISS/403 2515 GET http://www.girls.com/ jan DIRECT/192.168.0.99 > > > text/html > > > > That's your squid logfile. What is squidGuard telling you in its log > file(s)? > > > > If you had destination groups I'd give you the same advice I gave earlier: > > My suggestion there would be to give every destination group its own log > file: > > ------------- > > dest porn { > > domainlist porn/domains > > urllist porn/urls > > logfile porn.log > > } > > ------------- > > (You will need to manually create each of these log files and correct set > file > > ownership and permissions.) Then bounce squid. > > > > You can look at these log files to find out why you are being blocked. > It's very > > helpful for debugging. > > > > I hope this helps! > > > > Rick Matthews > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Jan > > > Klaverstijn > > > Sent: Friday, May 10, 2002 3:32 PM > > > To: Squidguard Mailing List > > > Subject: Re: Authentication question > > > > > > > > > I think I need some clarification related to the "ident vs. tranparent > > > proxy" dilemma as mentioned in > > > http://www.maynidea.com/squidguard/ident.html. I installed the identd > > > program on my WinXP and Win2K machines (thanks Rick for the reference). > When > > > I simply add > > > > > > httpd_accel_host virtual > > > > > > to my squid.conf. > > > My squidGuard.conf reads: > > > > > > src admin { > > > user jan > > > } > > > acl { > > > admin { > > > pass all > > > default ... > > > } > > > } > > > > > > I neatly get my identity "jan" plus the correct IP in the squid access > > > logging. But squidGuard blocks nevertheless. Does this mean I just > prooved > > > the dilemma since squid knows who I am and where I come from, but passes > > > something else to squidGuard? Or is there something else? This is a line > > > from my logfile: > > > > > > TCP_MISS/403 2515 GET http://www.girls.com/ jan DIRECT/192.168.0.99 > > > text/html > > > > > > Regards, > > > Jan. > > > > > > > > > >
