Hi all.
I have need to do this type of caching/filtering:
Internal Network --> squid1 --> Dansguardian --> squid2 --> Internet
I would like to have squid enforce this type of ACL policy:
1. If squid1 can do an ident lookup and the ident username is OK,
allow access.
2. If squid1 can not do an ident lookup, prompt for authentication
via PAM against LDAP.
3. Either way, pass the username credential upstream to Dansguardian
so that it may determine filter lists based on the supplied name.
I have already setup 1 and 2 and they work as expected. Squid1 will
pass the prompted authentication upstream to DG but if squid1 applies
the ident ACL, that information is not seen/understood by the
upstream DG.
I have tried to have DG do a seperate ident lookup when it receives
the request but even with x-forwarded headers it tries to do the
ident lookup to the actual request source (the squid server, not the
original client).
Since this option did not work, I thought that maybe there was a way
to get squid to pass the ident information upstream as if it was a
basic_auth username. This would solve my problem.
The basic idea is to apply separate filter lists in dansguardian
based on a username (determined from either ident or failing that
basic_auth).
Any suggestions?
Thanks, Al