RE: [squid-users] ident and intercept

From: James Harper <james_at_ejbdigital.com.au>
Date: Sat, 12 Jul 2014 08:15:59 +0000

>
> On 12/07/2014 5:21 p.m., James Harper wrote:
> > The docs says that ident doesn't work with intercept proxying, and it
> > doesn't, but I think it wouldn't be too hard to make it work. In fact
> > maybe as simple as setting COMM_TRANSPARENT on the ident socket.
>
> COMM_TRANSPARENT is a Squid inernal flag telling Squid to use TPROXY
> binding on the outgoing connection. If you use this you will be sending
> IDENT requests to the original destination *server*, using the from-IP
> as the one you were trying to contact.

Setting COMM_TRANSPARENT actually does work (but maybe unwanted side effects?). I've just tested it. The ident connection appears to come from the destination server so the client handles them correctly and the correct username is logged for intercepted connections.

But you're saying I should find another way of setting IP_TRANSPARENT on the ident socket?

> The problem is that the TCP source-port details are used by IDENT
> protocol. Source-NAT operations in the network before reaching Squid can
> remove/obscure them completely.
>

Ah. Squid is actually running on my gateway so there is no NAT before it reaches squid (and from memory, there is a way of redirecting packets over a GRE tunnel or something to preserve that info... was it WCCP?)

> > Does that sound plausible? What I've found is that not only doesn't
> > ident not work on an intercepted connection, the connection just
> > hangs forever (or at least for the 10 minutes that I waited) if any
> > acl's are encountered that would require an ident lookup.
>
> The hang is a separate bug which has now been resolved:
> http://bugs.squid-cache.org/show_bug.cgi?id=4080
>

Excellent. Applying now.

Thanks

James
Received on Sat Jul 12 2014 - 08:16:13 MDT

This archive was generated by hypermail 2.2.0 : Sat Jul 12 2014 - 12:00:05 MDT