OK - got it working... added the lines:
external_acl_type userlookup ttl=60 concurrency=1 %SRC /opt/squid354/libexec/ext_sql_session_acl -dsn DBI:mysql:database=pf --user root --password xxx --table currentUsers --uidcol ip --usercol uid --tagcol ip --persist acl userlookup external userlookup http_access allow localnet userlookup http_access allow localnet Now I get this in my logfiles: 10.15.228.12 - 0001 [26/May/2015:12:56:23 +0100] "POST http://www.bing.com/fd/ls/lsp.aspx HTTP/1.1" 204 391 TCP_MISS:ORIGINAL_DST I'll write all this up somewhere, as variations on what I have here is what people are always asking for: - Users log in via a web page, not a 407 popup box - Authenticates to AD - Users are filtered depending on who they are (via squidGuard) - Logs activity against users - logs them all off at a particular time - No proxy settings (intercept HTTP+HTTPS) thanks, Jim Potter Network Manager Oasis Brislington (formerly Brislington Enterprise College) On 26 May 2015 at 11:39, Mr J Potter <jpotter...@because.org.uk> wrote: > Hi Amos, > > OK this looks promising (if not actually working...) > > So I have a config line: > external_acl_type userlookup ttl=60 %SRC > /opt/squid354/libexec/ext_sql_session_acl -dsn DBI:mysql:database=pf --user > root --password xxxx --table currentUsers --uidcol ip --usercol uid > --tagcol ip --persist --debug > > Where currentUsers looks like: > mysql> select * from currentUsers; > +------+--------------+---------+ > | uid | ip | enabled | > +------+--------------+---------+ > | 0003 | 10.15.228.12 | 1 | > +------+--------------+---------+ > > so running this externally I use: > > /opt/squid354/libexec/ext_sql_session_acl -dsn DBI:mysql:database=pf > --user root --password fv89j8j6eg2 --table currentUsers --uidcol ip > --usercol uid --tagcol ip --debug > > this replies with a username if I put in: > <anything> 10.15.228.12 > > So what is the <anything> about? And I'm still not getting any username in > my logfiles. Do I need to use the acl name somewhere else in the config > file too? > > thanks, > > Jim Potter > Network Manager > Oasis Brislington (formerly Brislington Enterprise College) > > On 25 May 2015 at 12:07, Amos Jeffries <squ...@treenet.co.nz> wrote: > >> On 25/05/2015 8:38 p.m., Mr J Potter wrote: >> > Hi all, >> > >> > I'm setting up a system for using iPads in our school, and I'm stuck a >> bit >> > on tracking what the students are doing on them. >> > >> > First up, I reaaly don't want a Pop-up login box from a 407 response >> from a >> > proxy server, so I'm looking for some other way to track who is doing >> what. >> > >> > What i have set up so far is PacketFence with an SSL-bump transparent >> proxy >> > (I've put the CAs o all the ipads) which works well in that users have >> to >> > log in before they get internet access. This works (they get a web page, >> > login and get 50 minutes of internet before it disconnects them), but >> the >> > only way I have of tracking users is by working out who was on each ipad >> > (from packetfence) then matching it against squid logs, which is messy. >> >> Squid comes bundled with a ext_sql_session_acl helper that looks up a >> database and produces OK/ERR (and username for logging) depending on >> whether the key given to it exists in the DB already. >> <http://www.squid-cache.org/Versions/v4/manuals/ext_sql_session_acl.html> >> >> You just need to get an UID metric. IP address, MAC address, and/or >> EUI-64 (IPv6 link-local) are suitable there. It sounds like your >> packetfence would be a good way to populate that DB too. >> >> > >> > One plan I had would be to add/remove entries in dns or hosts for users, >> > eg IP address 10.2.3.4 -> hostname fbloggs (the user's login code) >> so >> > usernames would show up in the client hostname field, but squid caches >> > these I think. >> >> Yes. Dont do that with DNS. >> >> Amos >> >> _______________________________________________ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
