[squid-users] Passing username from external acl to cache peer

From: David Rippel <RippelD@dont-contact.us>
Date: Thu, 09 Jun 2005 10:34:25 -0400

Greetings,

The following patch is for Squid 2.5-STABLE10. It makes the username returned from an external acl command part of the request data structure and encodes it using base64 between cache peers. This is for auditing purposes so that subsequent caches in the chain can see the username making the request in their logs (such as DansGuardian). It's more efficient, for example, to do this instead of making two separate ident requests.

I'm posting this to both the Squid-users and DansGuardian mailing list since I think that it will be useful for both groups. This is functionality I've wanted for a long time (see http://www.squid-cache.org/mail-archive/squid-users/200310/0625.html).

Regards,
David

Here's the patch (made against RHEL4 Squid sources):

--- ../../squid-2.5.STABLE10.RC1.20050510/src/./external_acl.c 2005-03-30 17:46:41.000000000 -0500
+++ ./external_acl.c 2005-06-08 18:24:42.000000000 -0400
@@ -415,6 +415,7 @@
     external_acl_entry *entry = NULL;
     external_acl_data *acl = data;
     const char *key = "";
+ request_t *request = ch->request;
     debug(82, 9) ("aclMatchExternal: acl=\"%s\"\n", acl->def->name);
     if (ch->extacl_entry) {
         entry = ch->extacl_entry;
@@ -469,6 +470,8 @@
      */
     if (entry->user) {
         xstrncpy(ch->rfc931, entry->user, USER_IDENT_SZ);
+ /* Associate the username with the request */
+ xstrncpy(request->rfc931, entry->user, USER_IDENT_SZ);
         if (cbdataValid(ch->conn))
             xstrncpy(ch->conn->rfc931, entry->user, USER_IDENT_SZ);
     }
--- ../../squid-2.5.STABLE10.RC1.20050510/src/./http.c 2005-03-25 21:50:53.000000000 -0500
+++ ./http.c 2005-06-09 09:41:54.000000000 -0400
@@ -1016,8 +1016,13 @@
             /* Special mode, to pass the username to the upstream cache */
             char loginbuf[256];
             const char *username = "-";
- if (orig_request->auth_user_request)
- username = authenticateUserRequestUsername(orig_request->auth_user_request);
+ /* Pass basic auth username to upstream cache - supercedes ident */
+ if (orig_request->auth_user_request) {
+ username = authenticateUserRequestUsername(orig_request->auth_user_request);
+ /* Pass ident username if no basic auth username */
+ } else if (orig_request->rfc931) {
+ username = orig_request->rfc931;
+ }
             snprintf(loginbuf, sizeof(loginbuf), "%s%s", username, orig_request->peer_login + 1);
             httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Basic %s",
                 base64_encode(loginbuf));
--- ../../squid-2.5.STABLE10.RC1.20050510/src/./structs.h 2005-05-04 14:03:47.000000000 -0400
+++ ./structs.h 2005-06-08 18:27:06.000000000 -0400
@@ -1652,6 +1652,7 @@
     char login[MAX_LOGIN_SZ];
     char host[SQUIDHOSTNAMELEN + 1];
     auth_user_request_t *auth_user_request;
+ char rfc931[USER_IDENT_SZ];
     u_short port;
     String urlpath;
     char *canonical;
Received on Thu Jun 09 2005 - 08:34:08 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jul 01 2005 - 12:00:02 MDT