[squid-users] Alternative ways of tracking users on unauthenticated proxy

Mr J Potter jpotter833 at because.org.uk
Tue May 26 10:39:56 UTC 2015 

Hi Amos,

OK this looks promising (if not actually working...)

So I have a config line:
external_acl_type userlookup ttl=60 %SRC
/opt/squid354/libexec/ext_sql_session_acl -dsn DBI:mysql:database=pf --user
root --password xxxx --table currentUsers --uidcol ip  --usercol uid
--tagcol ip --persist --debug

Where currentUsers looks like:
mysql> select * from currentUsers;
+------+--------------+---------+
| uid  | ip           | enabled |
+------+--------------+---------+
| 0003 | 10.15.228.12 | 1       |
+------+--------------+---------+

so running this externally I use:

/opt/squid354/libexec/ext_sql_session_acl -dsn DBI:mysql:database=pf --user
root --password fv89j8j6eg2 --table currentUsers --uidcol ip --usercol uid
--tagcol ip --debug

this replies with a username if I put in:
<anything> 10.15.228.12

So what is the <anything> about? And I'm still not getting any username in
my logfiles. Do I need to use the acl name somewhere else in the config
file too?

thanks,

Jim Potter
Network Manager
Oasis Brislington (formerly Brislington Enterprise College)

On 25 May 2015 at 12:07, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 25/05/2015 8:38 p.m., Mr J Potter wrote:
> > Hi all,
> >
> > I'm setting up a system for using iPads in our school, and I'm stuck a
> bit
> > on tracking what the students are doing on them.
> >
> > First up, I reaaly don't want a Pop-up login box from a 407 response
> from a
> > proxy server, so I'm looking for some other way to track who is doing
> what.
> >
> > What i have set up so far is PacketFence with an SSL-bump transparent
> proxy
> > (I've put the CAs o all the ipads) which works well in that users have to
> > log in before they get internet access. This works (they get a web page,
> > login and get 50 minutes of internet before it disconnects them), but the
> > only way I have of tracking users is by working out who was on each ipad
> > (from packetfence) then matching it against squid logs, which is messy.
>
> Squid comes bundled with a ext_sql_session_acl helper that looks up a
> database and produces OK/ERR (and username for logging) depending on
> whether the key given to it exists in the DB already.
> <http://www.squid-cache.org/Versions/v4/manuals/ext_sql_session_acl.html>
>
> You just need to get an UID metric. IP address, MAC address, and/or
> EUI-64 (IPv6 link-local) are suitable there. It sounds like your
> packetfence would be a good way to populate that DB too.
>
> >
> > One plan I had would be to add/remove entries in dns or hosts for users,
> > eg  IP address 10.2.3.4   -> hostname  fbloggs  (the user's login code)
> so
> > usernames would show up in the client hostname field, but squid caches
> > these I think.
>
> Yes. Dont do that with DNS.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150526/86a9ffe2/attachment.html>

More information about the squid-users mailing list