[squid-users] Setting header with external auth helper error message
Alex Rousskov
rousskov at measurement-factory.com
Tue Dec 6 14:33:44 UTC 2022
On 12/6/22 08:54, Irem Kuyucu wrote:
> I'm trying to get Squid (4.9) to reply to the client with a custom
> header which contains the error message returned from the external
> auth helper binary.
>
> For example, I'd like Squid to reply with a header like this:
> X-Custom-Err: ERR NO_BACKEND
> or
> X-Custom-Err: NO_BACKEND
> Where "ERR NO_BACKEND" is a response gathered from the auth helper.
>
> I've tried setting this in squid.conf, this way I can see the header
> however its value is always '-':
>
> reply_header_add X-Custom-Err "%err_detail"
>
> I also tried to define a custom error by modifying squid.conf and
> error-details.txt. That also didn't work, the value is always set to
> '-'.
> /etc/squid.conf:
>
> error_directory /etc/squid/error_directory/
> deny_info CUSTOM_ERR_ACCESS_DENIED custom-auth
> reply_header_add X-Custom-Err "%err_detail"
>
> /etc/squid/error_directory/error-details.txt:
>
> name: CUSTOM_ERR_ACCESS_DENIED
> detail: "%m"
> descr: "Access denied"
>
> "%m" is the error message returned by external auth helper according
> to https://wiki.squid-cache.org/Features/CustomErrors#ERR_.2A_template_codes_for_embedding
> I also tried to log "%err_code %err_detail %et %ea" but all of these
> values except err_code are logged as '-'.
> Does anyone know how to do this or if this is possible to do in the first place?
1. Upgrade to the latest Squid v4 (at least). There are Squid v4.9 bugs
that may prevent the advice below from working correctly. One of them
was fixed in v4.11, but there may be others. Consider upgrading to Squid
v5.7 or later. I hope my response covers the latest Squid v4, but I do
not remember any v4-specific caveats.
2. Make sure your helper is sending the right annotation to Squid as a
custom name=value pair in each helper response. Always end your custom
helper annotation names with an underscore to avoid conflicts with Squid
internal annotations, current and future. See [1] for format details.
[1] https://wiki.squid-cache.org/Features/AddonHelpers#Authenticator
3. Use reply_header_add with the corresponding %note logformat code
(let's assume that you called your custom annotation "myerror_"):
reply_header_add X-Custom-Err "%note{myerror_}"
4. Please note that helper results may be cached. If your helper is not
contacted for a given transaction (due to a helper cache hit or some
other reason), then you may get no annotation or a stale annotation. If
your annotation is not specific to authentication, you may want to use
an external ACL helper to set it (and disable caching of that helper
results with "external_acl_type ... cache=0" or similar, as needed).
N.B. %err_code and %err_detail logformat code are for reporting
Squid-discovered errors, not custom annotations.
HTH,
Alex.
More information about the squid-users
mailing list