[squid-users] Logging ACL name with requests

From: Will Roberts <ironwill42_at_gmail.com>
Date: Mon, 02 Apr 2012 20:02:19 -0400

Hi,

I'm trying to log the name of the ACL that allowed/denied access for a
particular request. I have a patch that seems to work fine on all my
machines except one. On that one machine it'll work fine for several
hours, but then begins logging other garbage; sometimes parts of URLs,
other times it's just random bytes. I think my patch is correct and this
machine has a problem, but I'd appreciate it if someone could take a look.

My real goal is to associate a username with requests that are allowed
based on a whitelisted IP. I had originally done this using an external
acl helper, but found that it was too slow and would cause connections
to randomly fail. So instead I now generate a .conf file that is
included with my main squid config which looks like this:

acl foo src 10.3.4.0/24
acl foo src 10.4.5.0/24
http_access allow foo

acl bar src 120.3.4.0/24
acl bar src 120.4.5.0/24
http_access allow bar

hence why I'm then trying to log the name of the ACL that allowed the
connection. If there's a different way of doing that I'm open to
suggestions.

Here's the patch, I allowed the ACL to be accessible via its own token
or to replace the user one if the user is null.

Thanks,
--Will

Index: squid3-3.1.19/src/AccessLogEntry.h
===================================================================
--- squid3-3.1.19.orig/src/AccessLogEntry.h 2012-02-05
06:51:32.000000000 -0500
+++ squid3-3.1.19/src/AccessLogEntry.h 2012-03-29 00:57:22.000000000 -0400
@@ -96,6 +96,7 @@
                  msec(0),
                  rfc931 (NULL),
                  authuser (NULL),
+ aclname (NULL),
                  extuser(NULL)
  #if USE_SSL
                  ,ssluser(NULL)
@@ -114,6 +115,7 @@
          int msec;
          const char *rfc931;
          const char *authuser;
+ const char *aclname;
          const char *extuser;
  #if USE_SSL

Index: squid3-3.1.19/src/access_log.cc
===================================================================
--- squid3-3.1.19.orig/src/access_log.cc 2012-02-05 06:51:32.000000000 -0500
+++ squid3-3.1.19/src/access_log.cc 2012-03-29 01:01:43.000000000 -0400
@@ -404,6 +404,7 @@
      LFT_TAG,
      LFT_IO_SIZE_TOTAL,
      LFT_EXT_LOG,
+ LFT_ACCEPTED_ACL,

  #if USE_ADAPTATION
      LTF_ADAPTATION_SUM_XACT_TIMES,
@@ -561,6 +562,7 @@
      {"et", LFT_TAG},
      {"st", LFT_IO_SIZE_TOTAL},
      {"ea", LFT_EXT_LOG},
+ {"ACL", LFT_ACCEPTED_ACL},

      {"%", LFT_PERCENT},

@@ -1017,6 +1019,9 @@
              if (!out)
                  out = accessLogFormatName(al->cache.extuser);

+ if (!out)
+ out = accessLogFormatName(al->cache.aclname);
+
  #if USE_SSL

              if (!out)
@@ -1182,6 +1187,10 @@

              break;

+ case LFT_ACCEPTED_ACL:
+ out = al->cache.aclname;
+ break;
+
          case LFT_PERCENT:
              out = "%";

@@ -1764,6 +1773,9 @@
      if (!user)
          user = accessLogFormatName(al->cache.extuser);

+ if (!user)
+ user = accessLogFormatName(al->cache.aclname);
+
  #if USE_SSL

      if (!user)
@@ -2431,6 +2443,7 @@

      safe_free(aLogEntry->headers.reply);
      safe_free(aLogEntry->cache.authuser);
+ safe_free(aLogEntry->cache.aclname);

      safe_free(aLogEntry->headers.adapted_request);
      HTTPMSGUNLOCK(aLogEntry->adapted_request);
Index: squid3-3.1.19/src/client_side.cc
===================================================================
--- squid3-3.1.19.orig/src/client_side.cc 2012-02-05 06:51:32.000000000
-0500
+++ squid3-3.1.19/src/client_side.cc 2012-04-01 22:13:11.000000000 -0400
@@ -558,6 +558,8 @@

          al.cache.msec = tvSubMsec(start_time, current_time);

+ al.cache.aclname = xstrdup( aclname );
+
          if (request)
              prepareLogWithRequestDetails(request, &al);

Index: squid3-3.1.19/src/client_side_request.cc
===================================================================
--- squid3-3.1.19.orig/src/client_side_request.cc 2012-02-05
06:51:32.000000000 -0500
+++ squid3-3.1.19/src/client_side_request.cc 2012-04-01
22:13:24.000000000 -0400
@@ -588,6 +588,8 @@
      else if (http->request->auth_user_request != NULL)
          proxy_auth_msg =
http->request->auth_user_request->denyMessage("<null>");

+ http->aclname = AclMatchedName;
+
      if (answer != ACCESS_ALLOWED) {
          /* Send an error */
          int require_auth = (answer == ACCESS_REQ_PROXY_AUTH ||
aclIsProxyAuth(AclMatchedName));
Index: squid3-3.1.19/src/client_side_request.h
===================================================================
--- squid3-3.1.19.orig/src/client_side_request.h 2012-02-05
06:51:32.000000000 -0500
+++ squid3-3.1.19/src/client_side_request.h 2012-03-26
22:54:59.000000000 -0400
@@ -98,6 +98,7 @@
      HttpRequest *request; /* Parsed URL ... */
      char *uri;
      char *log_uri;
+ const char *aclname;

      struct {
          int64_t offset;
Received on Tue Apr 03 2012 - 00:02:28 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 03 2012 - 12:00:02 MDT