[squid-users] help setting up hierarchy

Amos Jeffries squid3 at treenet.co.nz
Mon Mar 16 02:18:38 UTC 2015

On 16/03/2015 11:26 a.m., Alex Samad wrote:
> Hi
> Sorry gmail sent before I could finish
> On 16 March 2015 at 09:24, Alex Samad <alex at samad.com.au> wrote:
>> Hi
>> I have 2 squid boxes that exist in my 2 DC.
>> They are on the same vlan/ ip network and i use dns round robin
>> cache_peer <other> sibling 3128 3130 proxy-only
>> in  addition to this I added in
>> acl icp_allowed src << the ip of the other squid box to allow icp
>> http_access allow icp_allowed << need to allow this so that squid -a
>> can request from squid-b with out authenticating (do I need todo this)
>> icp_port 3130
>> icp_access allow icp_allowed
>> icp_access deny all
>> these are running squid-3.1.10-29.el6.x86_64
>> my new box (in the office) is running
>> squid-3.4.10-1.el6.x86_64
>> cache_peer squid-b parent 3128 0 weighted-round-robin weight=5
>> cache_peer squid-a parent 3128 0 weighted-round-robin weight=2
>> I had to turn on ICP I kept seeing error of not allowed !
>> We have authenticated access to the proxy, usually via ntlm so all
>> requests are logged against a user.
>> I do have some boxes that need unauthenticated access
>> Config questions
>> 1) how to I get user authentication to flow through
>>   if a user requests from squid-a and it takes it from squid-b. I
>> would like the user id's logged on both
>>   if a user requests from new squid to either squid-a or squid-b. I
>> would like the auth (which would be done on new-squid) to flow through
>> to either squid-a or squid-b.

This is not possible with NTLM authentication.

NTLM is authenticating the TCP connection between client and proxy
underneath the HTTP layer and has a complex handshake setting up
security token per-connection with the DC server. The TCP connection
outbound from the proxy is a different connection, and also is not from
the client.

Its possible with Negotiate/Kerberos or Basic auth. Even though
Negotiate is also authenticating the TCP connection the handshake is
simpler and the token can be relayed to the peer proxy.

NP: Though be careful in an environment using NTLM. You may get
Negotiate/NTLM tokens flowing around, which wont work any more than NTLM

> 2) how do I setup ICP to work properly

Use HTCP for better HIT ratio with less false positives in HTTP/1.1.

> 3) is the cache_peer to squid-a squid-b from new-squid type parent ?

No. But to get the authentication to work you will need login=PASSTHRU
parameter (and be using Basic or Negotiate/Kerberos).

> 4) do I need to allow ICP clients full access, this is the squid-a to
> squid-b link ?

You should not have to. However, it also should not matter - when the
first proxy is doing auth you kow the traffic coming out of it is
authenticated. Not doing auth twice is faster.


More information about the squid-users mailing list