[squid-users] ident authentication and follow_x_forwarded_for

From: Ben Miller <gibsta_at_gmail.com>
Date: Tue, 11 May 2010 16:35:52 -0500

Greetings,

I am configuring a Squid/Dansguardian web proxy/content filter. The
flow of traffic looks like this:

Client --> Proxy:8080 (Dansguardian) --> 127.0.0.1:3128 (Squid running
on Proxy) --> Edge firewall

The relevant portions of squid.conf follow:

==================================================================================
acl localnet src 10.0.0.0/8

# Authentication ACLs
# Allow ident lookups on internal clients
#ident_lookup_access allow localnet
ident_lookup_access allow localnet
ident_lookup_access deny all

# Allow clients with IDENT
acl ident_auth ident REQUIRED
# If they don't have ident login restrict access to authorized via ldap
acl ldap_auth proxy_auth REQUIRED

# Attempt ident, then LDAP/basic authentication. Note that Squid is
only listening on 127.0.0.1:3128, so the following lines are to
support acl_uses_indirect_client
http_access allow ip_authenticated
http_access allow ident_auth localnet
http_access allow ldap_auth localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# OPTIONS FOR X-Forwarded-For
# -----------------------------------------------------------------------------

# Allow Squid to see Dansguardian IP addresses
follow_x_forwarded_for allow localhost
follow_x_forwarded_for deny all

# NETWORK OPTIONS
# -----------------------------------------------------------------------------

# Listen only to Dansguardian
http_port 127.0.0.1:3128

==================================================================================

I am attempting to configure Squid to authenticate with ident, but it
seems that the 'follow_x_forwarded_for allow localhost' is not being
honored by the ident authenticator. Is there any way to configure
Squid to send the ident queries to the originating client?

I have confirmed that follow_x_forwarded_for is functional for other
things (logging of client IP addresses for example), and that ident
queries are being responded to by the clients. Squid is simple never
asking for ident and is skipping directly to LDAP/Basic
authentication.

Thanks in advance for any help you may provide,

Ben Miller

6 X 9 = 42
Received on Tue May 11 2010 - 21:36:00 MDT

This archive was generated by hypermail 2.2.0 : Thu May 13 2010 - 12:00:05 MDT