[squid-users] Looking for a solution to identify "unauthenticated" squid proxy users.
Alex Rousskov
rousskov at measurement-factory.com
Tue Sep 17 13:14:02 UTC 2024
On 2024-09-17 08:07, Xavier Lecluse wrote:
> Hello, with the advice from Alex, we managed to add a custom field to the access.log, using an always matching "annotate_transaction" ACL.
>
> We had to add the ACL on each line of our rulesets and the value inserted was the rule_name.
> Then, by adding %{name}note in a custom logformat, we were able to display the rule matching each line in the access.log.
Glad you made it work! Someday, Squid will optionally add an
"http_access(*) rule matched" annotation to all transactions, so that
admins do not have to manually annotate all their rules.
(*) Similar breadcrumbs will be collected for other directives as well.
Alex.
> ----- Mail original -----
> De: "Alex Rousskov" <rousskov at measurement-factory.com>
> À: squid-users at lists.squid-cache.org
> Envoyé: Lundi 2 Septembre 2024 22:38:44
> Objet: Re: [squid-users] Looking for a solution to identify "unauthenticated" squid proxy users.
>
> On 2024-09-02 15:00, Xavier Lecluse wrote:
>
>> I am facing a problem with my actual access.log configuration.
>> I use this logformat for the access.log :
>> "logformat timereadable %tl %un %Ss %>Hs %>a:%>p %st %rm %ru %mt %<st %Sh %<A %la %lp %2tr"
>>
>> It's all good to trace requests when users are authentified, the login is present into <%un>.
>> But I have some users which are not authentified (because of incompatiblity with their softwares) and then I don't have any information to differentiate which requests are made by each "user".
>>
>> I tried to add <%et> <%ea> <%ul> <%ue>, without any success (the <%ul> just display the same as <%un> in my case).
>>
>> I am searching a way to display a field which would help me to identify the requester.
>> For example, I use an ACL a rule file for each "user" in which several ACLs are defined. (squid/current/etc/current/rule/PXI_TESTPXI_P.conf)
>>
>> Is there a way to use the "matching rule" file in the access log ?
>
> Since many squid.conf directives are driven by ACLs, a typical
> transaction often matches dozens of rules, explicit and implicit ones.
> There is no %code that correctly guesses which matching rule should be
> logged.
>
> However, you can define an always-matching annotate_transaction ACL and
> add it to any rule (or multiple rules). Specific or all transaction
> annotations can then be logged (or sent to helpers, etc.) using %note
> logformat code.
>
> Untested example:
>
> acl markAsSpecial annotate_transaction category=special
> acl markAsBad annotate_transaction category=bad
> ...
> http_access allow goodClients
> http_access allow specialClients markAsSpecial
> http_access deny to_localhost markAsBad
> ...
> logformat timereadable %tl %note{category} %un %Ss ...
>
>
> * annotate_transaction ACL type is documented at
> http://www.squid-cache.org/Doc/config/acl/
>
> * %note logformat code is documented at
> http://www.squid-cache.org/Doc/config/logformat/
>
>
>
> HTH,
>
> Alex.
>
>
>> Actually, this is the log from an authenticated user :
>> Sep 2 17:08:32 FPVPXI2 squid[312387]: 02/Sep/2024:17:08:32 +0200 test TCP_TUNNEL 200 10.x.x.250:51994 6765 CONNECT www.google.com:443 - 5716 FIRSTUP_PARENT 10.x.x.241 10.x.x.240 3128 326
>>
>> And one from an unauthenticated user :
>> Sep 2 16:38:47 QFPVPXI2 squid[311234]: 02/Sep/2024:16:38:47 +0200 - TCP_TUNNEL 200 10.x.x.242:22426 6726 CONNECT www.google.com:443 - 5718 FIRSTUP_PARENT 10.x.x.241 10.x.x.240 3128 249
>>
>>
>>
>> Regards,
>>
>> Xavier
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> https://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list