On 12/6/22 08:54, Irem Kuyucu wrote:
I'm trying to get Squid (4.9) to reply to the client with a custom
header which contains the error message returned from the external
auth helper binary.
For example, I'd like Squid to reply with a header like this:
X-Custom-Err: ERR NO_BACKEND
or
X-Custom-Err: NO_BACKEND
Where "ERR NO_BACKEND" is a response gathered from the auth helper.
I've tried setting this in squid.conf, this way I can see the header
however its value is always '-':
reply_header_add X-Custom-Err "%err_detail"
I also tried to define a custom error by modifying squid.conf and
error-details.txt. That also didn't work, the value is always set to
'-'.
/etc/squid.conf:
error_directory /etc/squid/error_directory/
deny_info CUSTOM_ERR_ACCESS_DENIED custom-auth
reply_header_add X-Custom-Err "%err_detail"
/etc/squid/error_directory/error-details.txt:
name: CUSTOM_ERR_ACCESS_DENIED
detail: "%m"
descr: "Access denied"
"%m" is the error message returned by external auth helper according
to https://wiki.squid-cache.org/Features/CustomErrors#ERR_.2A_template_codes_for_embedding
I also tried to log "%err_code %err_detail %et %ea" but all of these
values except err_code are logged as '-'.
Does anyone know how to do this or if this is possible to do in the first place?
1. Upgrade to the latest Squid v4 (at least). There are Squid v4.9 bugs
that may prevent the advice below from working correctly. One of them
was fixed in v4.11, but there may be others. Consider upgrading to Squid
v5.7 or later. I hope my response covers the latest Squid v4, but I do
not remember any v4-specific caveats.
2. Make sure your helper is sending the right annotation to Squid as a
custom name=value pair in each helper response. Always end your custom
helper annotation names with an underscore to avoid conflicts with Squid
internal annotations, current and future. See [1] for format details.
[1] https://wiki.squid-cache.org/Features/AddonHelpers#Authenticator
3. Use reply_header_add with the corresponding %note logformat code
(let's assume that you called your custom annotation "myerror_"):
reply_header_add X-Custom-Err "%note{myerror_}"
4. Please note that helper results may be cached. If your helper is not
contacted for a given transaction (due to a helper cache hit or some
other reason), then you may get no annotation or a stale annotation. If
your annotation is not specific to authentication, you may want to use
an external ACL helper to set it (and disable caching of that helper
results with "external_acl_type ... cache=0" or similar, as needed).
N.B. %err_code and %err_detail logformat code are for reporting
Squid-discovered errors, not custom annotations.
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users