Search squid archive

ident authentication and follow_x_forwarded_for

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Greetings,

I am configuring a Squid/Dansguardian web proxy/content filter. The
flow of traffic looks like this:

Client --> Proxy:8080 (Dansguardian) --> 127.0.0.1:3128 (Squid running
on Proxy) --> Edge firewall

The relevant portions of squid.conf follow:

==================================================================================
acl localnet src 10.0.0.0/8

# Authentication ACLs
# Allow ident lookups on internal clients
#ident_lookup_access allow localnet
ident_lookup_access allow localnet
ident_lookup_access deny all

# Allow clients with IDENT
acl ident_auth ident REQUIRED
# If they don't have ident login restrict access to authorized via ldap
acl ldap_auth proxy_auth REQUIRED

# Attempt ident, then LDAP/basic authentication. Note that Squid is
only listening on 127.0.0.1:3128, so the following lines are to
support acl_uses_indirect_client
http_access allow ip_authenticated
http_access allow ident_auth localnet
http_access allow ldap_auth localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# OPTIONS FOR X-Forwarded-For
# -----------------------------------------------------------------------------

# Allow Squid to see Dansguardian IP addresses
follow_x_forwarded_for allow localhost
follow_x_forwarded_for deny all

# NETWORK OPTIONS
# -----------------------------------------------------------------------------

# Listen only to Dansguardian
http_port 127.0.0.1:3128

==================================================================================


I am attempting to configure Squid to authenticate with ident, but it
seems that the 'follow_x_forwarded_for allow localhost' is not being
honored by the ident authenticator. Is there any way to configure
Squid to send the ident queries to the originating client?

I have confirmed that follow_x_forwarded_for is functional for other
things (logging of client IP addresses for example), and that ident
queries are being responded to by the clients. Squid is simple never
asking for ident and is skipping directly to LDAP/Basic
authentication.

Thanks in advance for any help you may provide,

Ben Miller

6 X 9 = 42

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux