[squid-users] help setting up hierarchy

Mon Mar 16 02:18:38 UTC 2015

On 16/03/2015 11:26 a.m., Alex Samad wrote:
> Hi
> 
> Sorry gmail sent before I could finish
> 
> On 16 March 2015 at 09:24, Alex Samad <alex at samad.com.au> wrote:
>> Hi
>>
>> I have 2 squid boxes that exist in my 2 DC.
>>
>> They are on the same vlan/ ip network and i use dns round robin
>>
>> cache_peer <other> sibling 3128 3130 proxy-only
>>
>> in  addition to this I added in
>>
>>
>> # ICP ALLOW
>> acl icp_allowed src 10.3.2.1/32 << the ip of the other squid box to allow icp
>>
>>
>> http_access allow icp_allowed << need to allow this so that squid -a
>> can request from squid-b with out authenticating (do I need todo this)
>>
>> icp_port 3130
>> icp_access allow icp_allowed
>> icp_access deny all
>>
>> these are running squid-3.1.10-29.el6.x86_64
>>
>> my new box (in the office) is running
>> squid-3.4.10-1.el6.x86_64
>>
>> cache_peer squid-b parent 3128 0 weighted-round-robin weight=5
>> cache_peer squid-a parent 3128 0 weighted-round-robin weight=2
>>
>> I had to turn on ICP I kept seeing error of not allowed !
>>
>> We have authenticated access to the proxy, usually via ntlm so all
>> requests are logged against a user.
>>
>> I do have some boxes that need unauthenticated access
>>
>> Config questions
>> 1) how to I get user authentication to flow through
>>   if a user requests from squid-a and it takes it from squid-b. I
>> would like the user id's logged on both
>>   if a user requests from new squid to either squid-a or squid-b. I
>> would like the auth (which would be done on new-squid) to flow through
>> to either squid-a or squid-b.

This is not possible with NTLM authentication.

NTLM is authenticating the TCP connection between client and proxy
underneath the HTTP layer and has a complex handshake setting up
security token per-connection with the DC server. The TCP connection
outbound from the proxy is a different connection, and also is not from
the client.

Its possible with Negotiate/Kerberos or Basic auth. Even though
Negotiate is also authenticating the TCP connection the handshake is
simpler and the token can be relayed to the peer proxy.

NP: Though be careful in an environment using NTLM. You may get
Negotiate/NTLM tokens flowing around, which wont work any more than NTLM
does.

> 2) how do I setup ICP to work properly

Use HTCP for better HIT ratio with less false positives in HTTP/1.1.

> 3) is the cache_peer to squid-a squid-b from new-squid type parent ?

No. But to get the authentication to work you will need login=PASSTHRU
parameter (and be using Basic or Negotiate/Kerberos).

> 4) do I need to allow ICP clients full access, this is the squid-a to
> squid-b link ?

You should not have to. However, it also should not matter - when the
first proxy is doing auth you kow the traffic coming out of it is
authenticated. Not doing auth twice is faster.

Amos