Squid and ident auth



  • I just want to start off saying to all who have contributed to pfsense it is a marvelous product!

    I have replaced my older OpenBSD firewall with pfsense and would like to get the ident auth working again(ie transparent authentication..no login prompts as they are too lazy to login).  I have a simple network setup and ident auth works transparently behind the scene secretly denying users who should not be on the Internet.  Each workstation runs the ident daemon.  This setup works great as we do not have advanced users who may figure out how to hack the ident auth etc…like some companies might have if they hire programmers or power users etc...

    I have put the ident auth option in the squid configuration.  I can see that it is now capturing ident usernames in the squid logs.  However, I need a firewall rule to redirect port 80 traffic to 3128.  I have seen several examples from many searches on the Internet...none of them seem to be exactly what I need.  (I also found that I could not run squid in transparent mode with the ident auth option ?)

    Here is the original redirection rule which I am not sure how to translate into a rule on pfsense if someone could be of assistance:
    $priv_if = LAN interface
    $priv_net = my RFC1918 nets
    rdr on $priv_if proto tcp from $priv_net to !$priv_if port 80 -> $priv_if port 3128

    The last thing would be reporting.  If someone knows how to edit or manipulate lightsquid so that I can see the the identd username show up on my reports that would be most helpful!

    Any help or suggestions for how I could improve or do the proxying a different way is welcomed!

    Thanks!
    Elektro



  • To find the code you need for the redirect, I would just enable transparent proxy, take a look at /usr/local/pkg/squid.inc, then disable the transparent proxy, and compare that version of /usr/local/pkg/squid.inc…at least I believe this is where the redirect rule gets written.

    Is there any reason you don't just prefer to setup access by IP?  That's how we do it - same thing, not many power users - and it seems to work well.



  • Thanks for the tip on the rule!

    Good point on the IP suggestion, however, I prefer to leave Internet access open by default.  and then deny particular users.  We use DHCP and I don't know which IP the user will have.  (I really like DHCP…makes it easy...)


Log in to reply