ian j hart wrote:
On Friday 07 December 2007 00:58:31 Adrian Chadd wrote:
So if I get this right, you'd like to log the acl list that passed or
failed the user?
Adrian
Near enough.
I want to log the aclname (or custom error page name) and the username. I'll
probably want the url in short order, followed by anything else that proves
useful.
I want to do this for users who are denied access.
[The more general solution you state above would probably be okay too. I might
need to add DENY/ACCEPT so I can include that in the regexp.]
<tangent>
Here's an example of how this might be generally useful. I have thee different
proxy ACLs.
A url_regexp
A dstdomain list harvested from a popular list site
A "daily" list gleaned from yesterdays access summary
Problem:
If a student can get through all day today whats to stop them?
Is the list going to be accumulative over all time? or just until
nobody is requesting the particular site?
Which one matched? (This is where the url would be nice)
Which given the current squid code is why I pointed you at deny_info
which runs a script _at the point the request was made_ and will accept
the ACL and URL.
This gives you three benefits:
1) you can reset all student access again at the start of the day
but block again _immediately_ when they start acting up.
If they learn to obey the rules they will retain their access to okay
sites. If not they are screwed.
2) lets you list the newly banned site on the error page itself to
warn/teach the students which URL will get them in trouble.
(they may not know whats newly on the list yet, and this saves you the
trouble of manually informing people)
3) lets you do almost anything you like when setting the allow/block
state. You control the script entirely.
You can get this info by raising the log level, but not on one line, which
makes parsing evil. And each file is more verbose too.
[A "full monty" implementation would be a separate match.log file defaulting
to "none"]
</tangent>
Here's part of client_side.c
if (answer == ACCESS_ALLOWED) {
...
} else {
int require_auth = (answer == ACCESS_REQ_PROXY_AUTH ...
debug(33, 5) ("Access Denied: %s\n", http->uri);
-> debug(33, 5) ("AclMatchedName = %s\n",
AclMatchedName ? AclMatchedName : "<null>");
That's half what I need straight away!
The problem is that this is called more than once. e.g.
hmm, I'm guessing at your config here but It looks kinda like:
REQ ...youtube.com
passwd
blockproxies
(HIT http_access deny passwd blockproxies)
407 error. auth needed for this site.
REQ ... youtube.com (+ username & password)
blockproxies
(HIT http_access deny passwd blockproxies)
404 error.
Thats two seperate requests. Normal sequence for basic auth.
First one is the auth, second is the url match, and third is the error page (I
think).
I can easily _not match_ the passwd ACL, but If I'm counting 'strikes' it
would be cleaner if blockproxies were logged just the once.
And that's where I came in.
Is there a better place for this, what should be a one liner. The error page
is only returned once, right? Which Is why I thought somewhere near there
would be about right. Just need a clue from someone who sees the whole
picture.
If you read this far, well done :)
Thanks
