Re: [squid-users] logging ident while avoiding an ident lookup for each request

From: Marc Haber <mh+squid-users_at_zugschlus.de>
Date: Thu, 22 May 2008 13:41:15 +0200

On Thu, May 22, 2008 at 09:51:53PM +1200, Amos Jeffries wrote:
> Ah, I thought it yes was 1 second or so, but a closer look at the
> default show its 0 seconds unless set higher.
> http://www.squid-cache.org/Versions/v3/3.0/cfgman/authenticate_ip_ttl.html

I think that only holds if the max_user_ip ACL is used, which is not
the case on my test system.

> Yes the problem of multiple-users per IP is one to consider.

Is there already an off-the shelf solution? Could squid send back an
identification cookie to the client application and use that cookie to
identify the user from then on, repeating the ident request like, once
a minute?

> What you mean by the statistics? I expect it drops the counters of ident
> requests relative to the counters of authenticated requests, and lowers
> the overall request service times (part of the idea right? faster
> response times with less network load).

Yes, but it'll also account requests to the wrong user if the ident
valud associate with any IP address is cached at all without
additional measures as soon as multiple users issue http requests from
the same IP address in the same second (which can easily be the case
for a multi-user system).

I must be missing something here.

Greetings
Marc

P.S. This is my config file, just in case it helps - it's just the
config file from Debian testing with minor changes to activate ident
lookups

http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
logformat squid %ts.%03tu %6tr %>a %ui %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
access_log /var/log/squid/access.log squid
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
acl vmware_network src 192.168.8.0/24
http_access allow vmware_network
http_access deny all
http_reply_access allow all
icp_access allow all
ident_lookup_access allow vmware_network
cache_effective_group proxy
coredump_dir /var/spool/squid

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190
Received on Thu May 22 2008 - 11:41:27 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:13 MDT