Search squid archive

%un format code doesn't work for external ssl_bump ACLs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Squid 3.5.7
I'm using an external ACL to decide whether to bump traffic during SSL bump step 2. The external ACL needs to know the user's username for requests that have authenticated, but not all requests are authenticated so I can't use %LOGIN and I'm therefore using %un instead. However, %un is never being filled in with a user name. 


The relevant parts of the config are:

http_access allow proxy_auth
http_access deny all
external_acl_type sslpeek children-max=10 concurrency=100 ttl=0 negative_ttl=0 %SRC %un %URI %ssl::>sni %>ha{User-Agent} /usr/sbin/check_bump.sh 
acl sslpeek external sslpeek
acl ssl_bump_step_1 at_step SslBump1
acl ssl_bump_step_2 at_step SslBump2
acl ssl_bump_step_3 at_step SslBump3
ssl_bump peek ssl_bump_step_1 #icap_says_peek
ssl_bump bump ssl_bump_step_2 sslpeek
ssl_bump splice all
sslproxy_cert_error allow all


The debug log shows that the request is successfully authenticated:

Acl.cc(138) matches: checking proxy_auth
UserData.cc(22) match: user is steve, case_insensitive is 0
UserData.cc(28) match: aclMatchUser: user REQUIRED and auth-info present.
Acl.cc(340) cacheMatchAcl: ACL::cacheMatchAcl: miss for 'proxy_auth'. Adding result 1 
Acl.cc(158) matches: checked: proxy_auth = 1

But then later in the log I see:
external_acl.cc(1416) Start: fg lookup in 'sslpeek' for '2a00:1940:1:8:468a:5bff:fe9a:cd7f - www.hsbc.co.uk:443 www.hsbc.co.uk Mozilla/5.0%20(X11;%20Fedora;%20Linux%20x86_64;%20rv:39.0)%20Gecko/20100101%20Firefox/39.0'
The user name given to the external ACL is "-" even though the request has been authenticated. Setting a->require_auth in parse_externalAclHelper() makes it work, but obviously just makes %un behave like %LOGIN, so isn't a solution. 

--
 - Steve Hill
   Technical Director
   Opendium Limited     http://www.opendium.com

Direct contacts:
   Instant messager: xmpp:steve@xxxxxxxxxxxx
   Email:            steve@xxxxxxxxxxxx
   Phone:            sip:steve@xxxxxxxxxxxx

Sales / enquiries contacts:
   Email:            sales@xxxxxxxxxxxx
   Phone:            +44-1792-824568 / sip:sales@xxxxxxxxxxxx

Support contacts:
   Email:            support@xxxxxxxxxxxx
   Phone:            +44-1792-825748 / sip:support@xxxxxxxxxxxx

begin:vcard
fn:Steve Hill
n:Hill;Steve
org:Opendium Limited
adr:1 Brue Close;;Highfield House;Bruton;Somerset;BA10 0HY;England
email;internet:steve@xxxxxxxxxxxx
title:Technical Director
tel;work:+44-1792-824568
x-mozilla-html:FALSE
url:http://www.opendium.com
version:2.1
end:vcard


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux