On 12/07/2014 5:21 p.m., James Harper wrote: > The docs says that ident doesn't work with intercept proxying, and it > doesn't, but I think it wouldn't be too hard to make it work. In fact > maybe as simple as setting COMM_TRANSPARENT on the ident socket. COMM_TRANSPARENT is a Squid inernal flag telling Squid to use TPROXY binding on the outgoing connection. If you use this you will be sending IDENT requests to the original destination *server*, using the from-IP as the one you were trying to contact. The problem is that the TCP source-port details are used by IDENT protocol. Source-NAT operations in the network before reaching Squid can remove/obscure them completely. > > Does that sound plausible? What I've found is that not only doesn't > ident not work on an intercepted connection, the connection just > hangs forever (or at least for the 10 minutes that I waited) if any > acl's are encountered that would require an ident lookup. The hang is a separate bug which has now been resolved: http://bugs.squid-cache.org/show_bug.cgi?id=4080 Amos
