Re: [squid-users] missing username in squid log

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 11 Nov 2011 23:19:41 +1300

On 11/11/2011 8:23 p.m., Giovanni Rosini wrote:
> Hi Amos,
> i'm using squid-2.6.STABLE22-1.fc8 (on fedora core 8 o.s.).

That was popular last decade right?

> I think it's better if i send you my squid.conf file.
> However, as i wrote before, squid has no authentication functions.

And then you go and ask why "in access.log i can't see information about
users" ?

   user is an output of the authentication and authorization processes.

> Authentication is made by chillispot + freeradius.

There is the answer why *Squid* is not logging it by default.

> Some details....
> I have a wi-fi router (with dd-wrt firmware inside) the clients
> connect to, and a remote server where i have installed freeradius,
> mysql and squid.
> Chillispot (on router) captures internet access request and send
> connection to the login page on remote server.
> Here user enters username and password, which are sent to freeradius
> for matching against radius database.

So the username is in radius database.

Being an interception proxy auth_param is obviously out of the question.
So you need an external_acl_type script to lookup the client details in
the database and send Squid back the username in the external ACL
"user=" response key. This gets logged in the %ue format tag. Squid
bundles with a perl script called db_auth. You can adjust it easily to
do these tasks.

> If auth is ok, client is allowed to browse the web.
> On router firmware there is an iptables rule that redirect connections
> to port 80 to port 3128 on remote server, where squid act as a
> transparent proxy and logs page requests.
>

You would do well to implement this instead of NAT redirect on the
router. This will let Squid actually have IP information about the
clients machines, to help with in the external ACL lookups.
http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute

Amos

> Giovanni
>
>
>
> Il 11/11/2011 1.25, Amos Jeffries ha scritto:
>> On 10/11/2011 9:12 p.m., Giovanni Rosini (personale) wrote:
>>> I've created a hotspot system using chillispot, freeradius, mysql
>>> and squid.
>>> Thru chillispot's captive portal, username and password are sent to
>>> freeradius for authentication.
>>> After authentication, squid registers web pages requested by users.
>>> My problem is that in access.log i can't see information about
>>> users, i.e for each page requested i see the url, ip address and
>>> other data, but not the username the user is logged in.
>>> It's not a problem of LOGFORMAT , i've tried all the possibilities
>>> about it.
>>> Is there a way to solve this problem?
>>
>> Please provide some info about the squid version being used, and the
>> config you are using in Squid to retrieve the username (auth_param or
>> external_acl_type? with what http_access rules?).
>>
>> Amos
>>
Received on Fri Nov 11 2011 - 10:19:52 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 11 2011 - 12:00:02 MST