Re: [squid-users] Redirector problems with squid 2.6

From: Jonne Hannon <Jonne.Hannon@dont-contact.us>
Date: Tue, 04 Mar 2008 09:45:24 +1000

Hi Amos,

Thanks for your reply. We already use basic auth to authenticate the user against the LDAP tree. The username is passed to the redirector via the ident parameter and this is how LDAP is queried from the redirector. I have turned on debugging options and the following is logged to the cache log:

2008/03/03 14:24:03| clientRedirectStart: 'http://www.news.com.au/'
2008/03/03 14:24:03| redirectStart: 'http://www.news.com.au/'

and thats where the logging stops.

The redirector logs that it got the input from stdin, logs the successful LDAP query, logs the output sent to stdout, then nothing. It appears that squid is not noticing that the output has been written to stdout from the redirector and it waiting. This is the output being written to stdout from the redirector:

Mar 3 14:24:03 esl4 (tc_redirector)[3354]: Sent 'http://www.news.com.au/ xxx.xxx.xxx.xxx/- abc123 GET'.

I'm using squid 2.6STABLE18 as squid 3 is not yet compatibile with Smartfilter.

Thanks,

Jonne.

iDivision Security Team
Brisbane City Council

Ph: 07 3403 6918
Email: jonne.hannon@brisbane.qld.gov.au
Visit http://www.brisbane.qld.gov.au

>>> Amos Jeffries <squid3@treenet.co.nz> 3/03/2008 5:58:58 pm >>>
Jonne Hannon wrote:
> Hi,
>
> I'm currently upgrading Squid and Smartfilter to a supported combination of squid 2.6STABLE18 + Smartfilter 4.2.1. Included in this mix is a redirection program, written in c. The redirection program was written to intercept all proxy requests and query LDAP to check if the user has accepted Internet usage terms and conditions. If the user has not accepted or needs to re-confirm acceptance, the browser is redirected to the terms and conditions website. If the user has a valid acceptance record then they can continue on the requested website.
>
> The redirector program reads from buffered stdout, queries LDAP and writes back to stdout using fprintf. This worked in squid 2.5, but using squid 2.6, the browser appears to timeout with no error reported back to the user. There is no log entry in the access.log, but there is a log entry in store.log that looks like the following:
>
> 1204259653.333 RELEASE -1 FFFFFFFF AF6C1D6C4B3CEF474FB849A84B6F9371 200 1204256053 1204256053 1204259653 application/cache-digest 817/817 GET internal://xxx.xxx.xxx.xxx/squid-internal-periodic/store_digest
>
> It appears to me that squid 2.6 is not receiving the output back from the redirector. Can you please advise how I can troubleshoot this further?
>

Are you sure this is done with a rediretor? How is it getting its user
info to query LDAP? Redirectors receive a bare URI.

You would probably be better off using basic auth (against LDAP) and a
special deny_info for when it fails.
To prevent popups there is a config trick:

   acl authUsers proxy_auth REQUIRED
   acl dummy_auth src all
   http_access allow authUsers dummy_auth
   deny_info http://.../conditions.html dummy_auth

Amos

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
**********************************************************************
   This message has passed through an insecure network.
    Please direct all enquiries to the message author.
**********************************************************************
**********************************************************************
   This message has passed through an insecure network.
    Please direct all enquiries to the message author.
**********************************************************************
Received on Mon Mar 03 2008 - 16:46:03 MST

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:04 MDT