[squid-users] %un format code doesn't work for external ssl_bump ACLs

Fri, 28 Aug 2015 09:18:18 -0700 


Squid 3.5.7
I'm using an external ACL to decide whether to bump traffic during SSL bump step 2. The external ACL needs to know the user's username for requests that have authenticated, but not all requests are authenticated so I can't use %LOGIN and I'm therefore using %un instead. However, %un is never being filled in with a user name. 


The relevant parts of the config are:

http_access allow proxy_auth
http_access deny all
external_acl_type sslpeek children-max=10 concurrency=100 ttl=0 negative_ttl=0 %SRC %un %URI %ssl::>sni %>ha{User-Agent} /usr/sbin/check_bump.sh 
acl sslpeek external sslpeek
acl ssl_bump_step_1 at_step SslBump1
acl ssl_bump_step_2 at_step SslBump2
acl ssl_bump_step_3 at_step SslBump3
ssl_bump peek ssl_bump_step_1 #icap_says_peek
ssl_bump bump ssl_bump_step_2 sslpeek
ssl_bump splice all
sslproxy_cert_error allow all


The debug log shows that the request is successfully authenticated:

Acl.cc(138) matches: checking proxy_auth
UserData.cc(22) match: user is steve, case_insensitive is 0
UserData.cc(28) match: aclMatchUser: user REQUIRED and auth-info present.
Acl.cc(340) cacheMatchAcl: ACL::cacheMatchAcl: miss for 'proxy_auth'. Adding result 1 
Acl.cc(158) matches: checked: proxy_auth = 1

But then later in the log I see:
external_acl.cc(1416) Start: fg lookup in 'sslpeek' for '2a00:1940:1:8:468a:5bff:fe9a:cd7f - www.hsbc.co.uk:443 www.hsbc.co.uk Mozilla/5.0%20(X11;%20Fedora;%20Linux%20x86_64;%20rv:39.0)%20Gecko/20100101%20Firefox/39.0'
The user name given to the external ACL is "-" even though the request has been authenticated. Setting a->require_auth in parse_externalAclHelper() makes it work, but obviously just makes %un behave like %LOGIN, so isn't a solution. 

--
 - Steve Hill
   Technical Director
   Opendium Limited     http://www.opendium.com

Direct contacts:
   Instant messager: xmpp:st...@opendium.com
   Email:            st...@opendium.com
   Phone:            sip:st...@opendium.com

Sales / enquiries contacts:
   Email:            sa...@opendium.com
   Phone:            +44-1792-824568 / sip:sa...@opendium.com

Support contacts:
   Email:            supp...@opendium.com
   Phone:            +44-1792-825748 / sip:supp...@opendium.com

<<attachment: steve.vcf>>

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to