[squid-users] can squid handle indirect request from clients ?

Amos Jeffries squid3 at treenet.co.nz
Tue Feb 17 01:24:25 UTC 2015 

On 17/02/2015 11:21 p.m., snakeeyes wrote:
> Hi Guys,
> 
> I wanted to ask .
> 
>  
> 
> If I have as topology below :
> 
>  
> 
>  
> 
> Client====>(HAPRoxy  or redirector )==>squid with ACLs & basic ncsa
> authentication
> 
>  
> 
> The client when it ask google.com
> 
> It will passs thorugh the HAproxy , and it will direct the request to the
> squid
> 
>  
> 
> Example =>
> 
> Client go to google.com:80 , the HPA proxy will send it google.com:3128 to
> the ip of squid.
> 

So google are hosting their public web services on port 3128 now? I very
much doubt that.

Perhapse you are using HAproxy to receive remotely NAT'ed traffic
because it does not complain like Squid?
 If so; the NAT lies are still there, just not being *mentioned* by the
HAproxy receiver. Them Squid complaints are designed to protect the
*entire Internet* (your LAN included) against NAT system
misconfiguration problems.



> 
> How let squid handle this task ???
> 
> I trid to to do natting any port 80 ==>3128  , but it failed !!!
> 

Yeah. Dont do that.

> Any suggestion ? or  even is it possible ?
> 
> Not I have ACLS and authentication @ squid , will it work ???
> 

Chaining proxies is perfectly fine in HTTP. You just have to know how
the HTTP auth framework operates.

 - WWW-Auth* headers are about user accessing the origin server resources.

 - Proxy-Auth* headers are about a client accessing a proxy.

The small difference in meaning between "client" (the initiating
endpoint of a TCP connection) and "user" (the person using some device)
matters a lot here.

So...

On the HAproxy->Squid connection, the client is *HAproxy*. Any
Proxy-Auth credentials received are considered by Squid to belong to
HAProxy itself. Where HAProxy gets them is its own business.

   But be clear, there is no "user" to Squid,
   just a client and that is _HAproxy_ in this setup.

So to perform auth in this setup all you need is to be able to configure
HAProxy to send the right credentials on each request. Since HTTP has
stateless auth they can be different client credentials representing
some different "user" for each request if you want that.

Contact the HAProxy support for help on how to configure it to send
credentials to Squid.


NP: if you have Squid-3.5 you can use the PROXY protocol between HAproxy
and Squid to relay the end-client TCP connection details down the chain
far better than X-Forwarded-For.

Amos

More information about the squid-users mailing list