[squid-users] Server FQDN for each request
Amos Jeffries
squid3 at treenet.co.nz
Mon Apr 13 13:00:28 UTC 2015
On 13/04/2015 9:58 p.m., Roman Suvorov wrote:
> Dear colleagues,
>
> Is the setup as following possible?
>
> A server 99.99.99.99 hosts a single Squid with ICAP plugged in. There
> two DNS records point to this server:
> first.example.com -> 99.99.99.99
> second.example.com -> 99.99.99.99
>
> If I put first.example.com in browser proxy settings for the first
> group of users and second.example.com for the second group, can I
> somehow distinguish requests from these two groups of users without
> using explicit login-password authentication?
No you can't. The proxy FQDN is entirely internal to the browser.
> Browsers are configured
> explicitly (the proxy is not transparent). There are supposed to be
> many such groups of users, thus setting up many Squid instances or
> using different TCP ports is not appropriate.
>
> I'm looking for a way to identify users without explicit
> authentication, maybe there are some other ways?
IP address of the client machine sending the traffic to the proxy is the
usual way. Its not perfect by any means but works better than proxy
listening IP:port combos alone.
NOTE: IPv6 connectivity between the clients and proxy can be used to
avoid many IPv4 NAT issues. Though be aware other admin have forced some
NAT types into IPv6 as well now, so even that is not as reliable as it
used to be if you are dealing with remote/Internet connections.
PS. Why your aversion to authentication? explicitly configured proxy is
*the* use-case where authentication to the proxy actually works very well.
Amos
More information about the squid-users
mailing list