LightSquid not showing users
-
Evening all,
I've got an issue with LightSquid not parsing correctly. A little history first though:
I have Squid 2.7.9 pkg v.4.3.6, DansGuardian 2.12.0.3_2 pkg v.0.1.12 (still waiting for an E2Guardian package), LightSquid 2.4.1, and SARG 0.6.4 installed. PFSense version 2.2.2-Release (amd64) I'm using a transparent Proxy so that end users cannot bypass the proxy. Everything works just fine, only one problem…. The issue I'm having is that LightSquid reporting system is showing only one user (with all traffic for the organization listed under it) with the IP address of the PFSense server (10.102.1.1) instead of individual IP addresses (.2, .3, etc...) of the end workstations. SARG works as expected showing the IP addresses of the clients, so I know the access.log file is storing the appropriate information. How do I configure LightSquid to show the IP addresses of the clients rather than the IP of the pfSense Server.
LightSquid is configured as follows:
* Language: English
* Bar Color: Orange
* Report Scheme: Base
* IP Resolve Method (future): IP
* Refresh Scheduler: 60min
* Skip URL: [blank]I've also tried changing the IP Resolve Method to DNS and SMB, but have gotten no change.
I hope I explained everything in an understandable way.
-
No one have an answer on what might be going on?
-
I use IP Resolve Method: DNS. In my reports, the User field is filled with the FQDN of the client (hostname.domain.local)
-
I'll give that another try and post back.
-
After a day of running under DNS as the reporting method, it's confirmed that the "user" being reported back is the offense box itself. Is this a bug when using a transparent filter?
-
Sounds like it. I don't run transparent as it causes me too many problems due to HTTPS MitM warnings etc.
-
ok. I finally got it working. Here's what I had to do:
DansGuardian:
General -> Highlight (turn on) both forwardedfor & usexforwardedforSquid (Proxy):
Custom Options
acl other_proxy srcdomain My.Proxy; log_uses_indirect_client on; follow_x_forwarded_for allow localhost; follow_x_forwarded_for allow other_proxy; acl_uses_indirect_client on; delay_pool_uses_indirect_client onUse the name of your pfsense box in place of My.Proxy
I also used "tail /var/squid/logs/access.log" & "tail /var/log/dansguardian/access.log" throughout troubleshooting this to find out what exactly was being captured in the logs.
Sources for this:
http://www.linuxquestions.org/questions/linux-security-4/dansguardian-and-squid-480571/
http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/ (to understand follow_x_forwarded_for)