[squid-users] Alternative ways of tracking users on unauthenticated proxy

Amos Jeffries squid3 at treenet.co.nz
Mon May 25 11:07:44 UTC 2015


On 25/05/2015 8:38 p.m., Mr J Potter wrote:
> Hi all,
> 
> I'm setting up a system for using iPads in our school, and I'm stuck a bit
> on tracking what the students are doing on them.
> 
> First up, I reaaly don't want a Pop-up login box from a 407 response from a
> proxy server, so I'm looking for some other way to track who is doing what.
> 
> What i have set up so far is PacketFence with an SSL-bump transparent proxy
> (I've put the CAs o all the ipads) which works well in that users have to
> log in before they get internet access. This works (they get a web page,
> login and get 50 minutes of internet before it disconnects them), but the
> only way I have of tracking users is by working out who was on each ipad
> (from packetfence) then matching it against squid logs, which is messy.

Squid comes bundled with a ext_sql_session_acl helper that looks up a
database and produces OK/ERR (and username for logging) depending on
whether the key given to it exists in the DB already.
<http://www.squid-cache.org/Versions/v4/manuals/ext_sql_session_acl.html>

You just need to get an UID metric. IP address, MAC address, and/or
EUI-64 (IPv6 link-local) are suitable there. It sounds like your
packetfence would be a good way to populate that DB too.

> 
> One plan I had would be to add/remove entries in dns or hosts for users,
> eg  IP address 10.2.3.4   -> hostname  fbloggs  (the user's login code) so
> usernames would show up in the client hostname field, but squid caches
> these I think.

Yes. Dont do that with DNS.

Amos



More information about the squid-users mailing list