[squid-users] parent_proxy kerberos authentication logging

Johnatan loopback3128 at gmail.com
Fri Mar 18 13:38:06 UTC 2016


Thanks for the reply.

I have two acls:
acl FAKE-AUTH proxy_auth required
acl CHILD-PROXY src 192.168.0.1

It's working now but I need to tell my parent proxy to accept the two
directive:
http_access allow FAKE-AUTH
http_access allow CHILD-PROXY

With onle the :
http_access allow FAKE-AUTH
or the directive
http_access allow FAKE-AUTH CHILD-PROXY
It won't work.

Do you know why ?

2016-03-09 12:41 GMT+01:00 Amos Jeffries <squid3 at treenet.co.nz>:

> On 9/03/2016 2:08 a.m., Johnatan wrote:
> > Hello there,
> >
> > I have 2 proxy.
> > On the first, I perform a Kerberos authentication from my users.
> > On the parent proxy I want to retrieve the login (username) information.
> > I don't want to perform a real authentication on the parent proxy so I
> have
> > already tested the documentation with the dummy authentication but it
> > doesn't seem to work for kerberos authentication.
> > Is there a way for the parent proxy to get the username from my child
> proxy?
> >
>
> Lets be clear: Negotiate/Kerberos authenticates the *TCP connection*.
> The single one between the client and your first proxy. The
> authentication is *invalid* on any other connection the message travels
> over.
>
> This is the main way that Negotiate still violates HTTP messaging
> requirements.
>
>
> Now thats out of the way. The username can be passed on to the second
> proxy using simpler Basic auth:
>  cache_peer ... login=*:foo
>
> Where "foo" is a fake password. The receiving proxy will still need to
> perform authentication (with basic_fake_auth helper) to get access to
> the username info.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160318/e37f64ac/attachment.html>


More information about the squid-users mailing list