[squid-users] Setting header with external auth helper error message

Alex Rousskov rousskov at measurement-factory.com
Tue Dec 6 14:33:44 UTC 2022 

On 12/6/22 08:54, Irem Kuyucu wrote:

> I'm trying to get Squid (4.9) to reply to the client with a custom
> header which contains the error message returned from the external
> auth helper binary.
> 
> For example, I'd like Squid to reply with a header like this:
> X-Custom-Err: ERR NO_BACKEND
> or
> X-Custom-Err: NO_BACKEND
> Where "ERR NO_BACKEND" is a response gathered from the auth helper.
> 
> I've tried setting this in squid.conf, this way I can see the header
> however its value is always '-':
> 
> reply_header_add X-Custom-Err "%err_detail"
> 
> I also tried to define a custom error by modifying squid.conf and
> error-details.txt. That also didn't work, the value is always set to
> '-'.
> /etc/squid.conf:
> 
> error_directory /etc/squid/error_directory/
> deny_info CUSTOM_ERR_ACCESS_DENIED custom-auth
> reply_header_add X-Custom-Err "%err_detail"
> 
> /etc/squid/error_directory/error-details.txt:
> 
> name: CUSTOM_ERR_ACCESS_DENIED
> detail: "%m"
> descr: "Access denied"
> 
> "%m" is the error message returned by external auth helper according
> to https://wiki.squid-cache.org/Features/CustomErrors#ERR_.2A_template_codes_for_embedding
> I also tried to log "%err_code %err_detail %et %ea" but all of these
> values except err_code are logged as '-'.

> Does anyone know how to do this or if this is possible to do in the first place?


1. Upgrade to the latest Squid v4 (at least). There are Squid v4.9 bugs 
that may prevent the advice below from working correctly. One of them 
was fixed in v4.11, but there may be others. Consider upgrading to Squid 
v5.7 or later. I hope my response covers the latest Squid v4, but I do 
not remember any v4-specific caveats.


2. Make sure your helper is sending the right annotation to Squid as a 
custom name=value pair in each helper response. Always end your custom 
helper annotation names with an underscore to avoid conflicts with Squid 
internal annotations, current and future. See [1] for format details. 
[1] https://wiki.squid-cache.org/Features/AddonHelpers#Authenticator


3. Use reply_header_add with the corresponding %note logformat code
(let's assume that you called your custom annotation "myerror_"):

     reply_header_add X-Custom-Err "%note{myerror_}"


4. Please note that helper results may be cached. If your helper is not 
contacted for a given transaction (due to a helper cache hit or some 
other reason), then you may get no annotation or a stale annotation. If 
your annotation is not specific to authentication, you may want to use 
an external ACL helper to set it (and disable caching of that helper 
results with "external_acl_type ... cache=0" or similar, as needed).

N.B. %err_code and %err_detail logformat code are for reporting 
Squid-discovered errors, not custom annotations.


HTH,

Alex.

More information about the squid-users mailing list