Search squid archive

Re: Setting header with external auth helper error message

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/6/22 08:54, Irem Kuyucu wrote:

I'm trying to get Squid (4.9) to reply to the client with a custom
header which contains the error message returned from the external
auth helper binary.

For example, I'd like Squid to reply with a header like this:
X-Custom-Err: ERR NO_BACKEND
or
X-Custom-Err: NO_BACKEND
Where "ERR NO_BACKEND" is a response gathered from the auth helper.

I've tried setting this in squid.conf, this way I can see the header
however its value is always '-':

reply_header_add X-Custom-Err "%err_detail"

I also tried to define a custom error by modifying squid.conf and
error-details.txt. That also didn't work, the value is always set to
'-'.
/etc/squid.conf:

error_directory /etc/squid/error_directory/
deny_info CUSTOM_ERR_ACCESS_DENIED custom-auth
reply_header_add X-Custom-Err "%err_detail"

/etc/squid/error_directory/error-details.txt:

name: CUSTOM_ERR_ACCESS_DENIED
detail: "%m"
descr: "Access denied"

"%m" is the error message returned by external auth helper according
to https://wiki.squid-cache.org/Features/CustomErrors#ERR_.2A_template_codes_for_embedding
I also tried to log "%err_code %err_detail %et %ea" but all of these
values except err_code are logged as '-'.

Does anyone know how to do this or if this is possible to do in the first place?


1. Upgrade to the latest Squid v4 (at least). There are Squid v4.9 bugs that may prevent the advice below from working correctly. One of them was fixed in v4.11, but there may be others. Consider upgrading to Squid v5.7 or later. I hope my response covers the latest Squid v4, but I do not remember any v4-specific caveats.


2. Make sure your helper is sending the right annotation to Squid as a custom name=value pair in each helper response. Always end your custom helper annotation names with an underscore to avoid conflicts with Squid internal annotations, current and future. See [1] for format details. [1] https://wiki.squid-cache.org/Features/AddonHelpers#Authenticator


3. Use reply_header_add with the corresponding %note logformat code
(let's assume that you called your custom annotation "myerror_"):

    reply_header_add X-Custom-Err "%note{myerror_}"


4. Please note that helper results may be cached. If your helper is not contacted for a given transaction (due to a helper cache hit or some other reason), then you may get no annotation or a stale annotation. If your annotation is not specific to authentication, you may want to use an external ACL helper to set it (and disable caching of that helper results with "external_acl_type ... cache=0" or similar, as needed).

N.B. %err_code and %err_detail logformat code are for reporting Squid-discovered errors, not custom annotations.


HTH,

Alex.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux