[squid-users] Login/Pass from squid to Squid
Amos Jeffries
squid3 at treenet.co.nz
Fri Nov 4 14:50:51 UTC 2016
On 4/11/2016 4:25 a.m., FredB wrote:
>
>> Authentication credentials represent and verify the identity of your
>> proxy. That is a fixed thing so why would the credentials used to
>> verify
>> that static identity need to change?
>
>
> I'm only speaking about users identities, not something like cache_peer login=XXX
> So each user must have is own ID
>
>>
>> NP: Proxy-auth is not related to the message itelf, but to the
>> transport
>> mechanism. Do not confuse the identity of the proxy/sender with the
>> traffic flowing through it from other sources.
>
> Yes
>
>>
>> That said, you can use request_header_add to add whatever headers you
>> like to upstream requests. Even proxy-auth headers. You just cant
>> easily
>> handle any 407 which result from that when the credentials are not
>> accepted. So the ACL you use better be 100% accurate when it matches.
>
> Ah ok great, so maybe we can imagine something like this
>
> If an acl match a specific address (eg 10.1.1.1) I put Authorization: BASIC Z3Vlc3Q6Z3Vlc3QxMjM= ?
> It's what I was talking about helper, maybe a separate program should be better for matching IP=USERNAME
>
> If there is many users the ACL will be very long and complex ...
>
Use "login=PASS" (exact string) on the cache_peer.
Along with an http_access check that uses an external ACL helper which
produces "OK user=X password=Y" for whatever credentials need to be sent.
NP: on older Squid that may be "pass=" instead of "password=".
Amos
More information about the squid-users
mailing list