[squid-users] Setting Up Squid - my scenario

Amos Jeffries squid3 at treenet.co.nz
Thu Mar 9 17:19:48 UTC 2017 

On 10/03/2017 6:00 a.m., S V Hareesh wrote:
> Ok, I tried that but it didnt work. I can put a conf file here. As a
> start I am currently in a scenario trying to replace a simple CNTLM
> HTTP proxy with Squid. I want to configure one account which
> authenticates with parent proxy send the downstream requests with out
> taking any creds.

If your CNTLM was running on the Squid machine and using the credentials
for the service account you have setup Squid to use now - then the
cache_peer login=NEGOTIATE should make Squid operate as equivalent to
what CNTLM was doing.

The config file would be useful for anyone who follows up (not just me,
who will be out of time shortly for another few days).

Also, if you can track what HTTP messages are happening and whether the
Kerberos is working properly for the Squid->parent messages it would be
useful.

The current Squid can provide HTTP details in cache.log with
"debug_options 11,2". I'm not sure how you would test the Kerberos on a
Windows installation, but the Negotiate auth headers in those messages
might give a few clues anyway.

HTH
Amos


>   On Thu, Mar 9, 2017 at 4:50 PM, Amos Jeffrieswrote:
>>     On 10/03/2017 5:19 a.m., S V Hareesh wrote:
>> On top of the conf file from default setup on Windows, I added the following line in the conf. I added the dns servers and allowed localhost.
>>
>> cache_peer <corporate_proxy> parent 80 0 default connection-auth=on proxy-only
>>
>> never_direct allow all
>>
>> When I point my browser to this proxy, it gives me 407, auth required. 
>>
>> Also, configured squid service on windows to run with a service account that has access to Internet/corp proxy.
> 
> Squid cannot authenticate to a cache_peer using NTLM. It can only do
> Nagotiate/Kerberos to the parent proxy, and only when "login=NEGOTIATE"
> is added (with or without a named keytab file).
> 
> NOTE: 'connection-auth=on' is about allowing the browser to use NTLM or
> Negotiate/Kerberos through the cache_peer. It needs to also have
> "login=PASSTHRU" if that peer is a proxy (as opposed to a web or
> Exchange server).
> 
> See the 'AUTHENTICATION OPTIONS' section of
> <http://www.squid-cache.org/Doc/config/cache_peer/>
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>   
>

More information about the squid-users mailing list