[squid-users] Authentication pass-through cache_peer

Amos Jeffries squid3 at treenet.co.nz
Mon Nov 21 14:42:36 UTC 2016

On 22/11/2016 1:33 a.m., Eduardo Carneiro wrote:
> Hi all.
> Sorry if this is already answered here. But I couldn't find any clear tips
> about this topic.
> I'm using Squid 3.5.19 with dynamic content caching in a huge user base
> (almost 10.000). Due to the large number of requisitions, internet access is
> getting very slow.

FYI: first optimization should be removing NTLM. It doubles the number
of HTTP messages required for clients to do anything, and requires the
proxy to disable many HTTP performance features.

> So I decided to use cache_peer to balance the traffic between servers. Would
> be a basic environment. One child (that receive the requisitions of the
> users) and three parent servers in a cluster. The problem is the
> authentication.
> Today I use NTLM to authenticate my accesses (in a AD Win2008). I have read
> here, that Squid doesn't support ntlm pass-through between child -> parent
> servers.

Squid does support pass-through. Just use login=PASSTHRU in the child
proxy cache_peer lines.

What it doesn't support is using obsolete NTLM protocol to authenticate
_itself_ to parent proxies. (Yes NTLM was formally deprecated by MS in
April 2006).

> The question I have is: There is any way to send user authentication
> credentials of the child server to parent servers transparently? Without
> need to enter username and password in the browser authentication box?

cache_peer ... login=PASSTHRU

Required that the frontend proxy using this does not do authentication
itself. That is done solely by the peer receiving the credentials.


More information about the squid-users mailing list