[squid-users] Using Squid as forward http proxy failing to complete request?

Amos Jeffries squid3 at treenet.co.nz
Fri Aug 21 15:57:27 UTC 2015

On 22/08/2015 1:39 a.m., asad wrote:
> I'm using Squid as local proxy.
> I have the config file as below:-#
> *  cache_peer parent 8080 0 no-query default
> login=my_username:my_password    never_direct allow all*
> Now, I want to use it as forward proxy For that the configuration is shown
> in the config file in ***bold-text***.

I'm not sure you are using the term "forward proxy" right.
"forward-proxy" is nowdays commonly also stated "explicit proxy".

See this bit here:

   # Squid normally listens to port 3128
   http_port 3128

That bit alone, is what makes your Squid an explicit/forward-proxy.

Using cache_peer like shown above just relays traffic through a parent
proxy. Which in this case is also happens to be a forward/explicit proxy.

Using "never_direct allow all" forces only that parent proxy to be used.
No traffic may go anywhere but through a cache_peer.

> I have browsed tons of web-pages and all have said to include a line
> similar to this. Beyond this configuration, I don't know what else to add
> in order to make it work.
> One, thing under safe_port should I be changing the http port to "8080"
> since my local machine is already behind another proxy.

No. The cache_peer details is all private between the two proxies. It
has no part in the traffic messages themselves.

> Also, I'm using domain authentication (NTLM) to connect to other proxy. Is
> authentication configuration required beside what already done in config
> file.

What those tutorials are not explaining is that the
"login=my_username:my_password" is sending Basic auth credentials to the
parent proxy.

Squid does not support using NTLM to authenticate its cache_peer TCP

The options available for cache_peer directive and what they do is
documented at <http://www.squid-cache.org/Doc/config/cache_peer/>

My suggestions for a fix:

You could use "login=PASSTHRU connection-auth=on" and not do anything
else with auth in your proxy. That way the client software can (try to)
authenticate to the parent proxy directly with NTLM.

Or, if the parent proxy accepts Negotiate/Kerberos auth you can use
"login=NEGOTIATE" and setup the necessary keytab for your proxy to
authenticate with.


More information about the squid-users mailing list