[squid-users] Squid V 3.5.23 authenticating in AD: User names not showing in log

Rafael Silva Daniel rafaelsilvadaniel at gmail.com
Wed May 15 17:45:22 UTC 2019


Helo! im in need of serious help, in my company we need the access logs by
user name, is the only reason the proxy is setted to authenticate. but it
just dont show it, the relevant parts of the .conf is looking like this:

(...)
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=XXXXX(domain name)
auth_param ntlm children 100
auth_param ntlm keep_alive off

external_acl_type NT_global_group %LOGIN /usr/lib/squid/ext_wbinfo_group_acl
acl users external NT_global_group "/etc/squid/fapgrp"
(...)

(...)
http_access deny !users
http_access allow users
http_access deny !auth
(...)

***("/etc/squid/fapgrp" is a text file with the text "Usuários do dóminio",
its "Domain Users" in portuguese)

when i test the helper:

/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=XXXXX
user password
BH SPNEGO request invalid prefix

i read somewhere that ntlmssp can be tested like this, because we are
sending the credentials as plain text, so i tested with basic and the result
is this:

/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-basic
--domain=XXXXX
user password
OK
user password
ERR

so, im assuming that the way squid is processing the challenges are fine, is
it right?

but the part that is making me furious is that the access.log are like this:

1557939698.081    218 10.85.xx.xx TCP_MISS/200 1962 GET
http://squid-web-proxy-cache.1019090.n4.nabble.com/util/minmax.js *USERNAME*
HIER_DIRECT/199.38.86.66 application/x-javascript
1557939698.313    231 10.85.xx.xx TCP_MISS/200 1073 GET
http://squid-web-proxy-cache.1019090.n4.nabble.com/images/image.png
*USERNAME* HIER_DIRECT/199.38.86.66 image/png
1557939698.360    263 10.85.xx.xx TCP_MISS/200 738 GET
http://squid-web-proxy-cache.1019090.n4.nabble.com/images/bold.png
*USERNAME* HIER_DIRECT/199.38.86.66 image/png

when the id is TCP_MISS the user name always shows correctly, but when the
id is:

1557941156.213 240238 10.85.XX.XX TCP_TUNNEL/200 1788 CONNECT
www.google.com:443 - HIER_DIRECT/172.217.29.228 -
1557941156.670 240355 10.85.XX.XX TCP_TUNNEL/200 2892 CONNECT
s2.googleusercontent.com:443 - HIER_DIRECT/172.217.172.129 -
1557941159.712 243740 10.85.XX.XX TCP_TUNNEL/200 132341 CONNECT
www.google.com:443 - HIER_DIRECT/172.217.29.228 -

TCP_TUNNEL the user name is never showed, and the majority of the access log
have these TCP_TUNNEL stuff


theres a way to all the pages that are accessed shows the username? its our
only need, to see the user names in all the logs

Thanks in advance!



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html


More information about the squid-users mailing list