[squid-users] Authentication pass-through cache_peer

Eduardo Carneiro eduardoocarneiro at gmail.com
Mon Nov 21 15:17:53 UTC 2016


Amos Jeffries wrote
> On 22/11/2016 1:33 a.m., Eduardo Carneiro wrote:
>> Hi all.
>> 
>> Sorry if this is already answered here. But I couldn't find any clear
>> tips
>> about this topic.
>> 
>> I'm using Squid 3.5.19 with dynamic content caching in a huge user base
>> (almost 10.000). Due to the large number of requisitions, internet access
>> is
>> getting very slow.
> 
> FYI: first optimization should be removing NTLM. It doubles the number
> of HTTP messages required for clients to do anything, and requires the
> proxy to disable many HTTP performance features.
> 
>> 
>> So I decided to use cache_peer to balance the traffic between servers.
>> Would
>> be a basic environment. One child (that receive the requisitions of the
>> users) and three parent servers in a cluster. The problem is the
>> authentication.
>>  
>> Today I use NTLM to authenticate my accesses (in a AD Win2008). I have
>> read
>> here, that Squid doesn't support ntlm pass-through between child ->
>> parent
>> servers.
> 
> Squid does support pass-through. Just use login=PASSTHRU in the child
> proxy cache_peer lines.
> 
> What it doesn't support is using obsolete NTLM protocol to authenticate
> _itself_ to parent proxies. (Yes NTLM was formally deprecated by MS in
> April 2006).
> 
>> 
>> The question I have is: There is any way to send user authentication
>> credentials of the child server to parent servers transparently? Without
>> need to enter username and password in the browser authentication box?
> 
> cache_peer ... login=PASSTHRU
> 
> Required that the frontend proxy using this does not do authentication
> itself. That is done solely by the peer receiving the credentials.
> 
> HTH
> Amos
> 
> _______________________________________________
> squid-users mailing list

> squid-users at .squid-cache

> http://lists.squid-cache.org/listinfo/squid-users

Thanks for the answers.

So, Amos, if I to use Negotiate/Kerberos or any basic auth, the PASSTHRU
parameter will works for my purpose. That's right?




--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-pass-through-cache-peer-tp4680587p4680590.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list