[squid-users] Squid 4.x: cache_peer PROXY_PROTOCOL support with squid parents

eliezer at ngtech.co.il eliezer at ngtech.co.il
Sat Feb 23 22:16:46 UTC 2019


What would be the reason to replace haproxy eactly?

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of David Touzeau
Sent: Saturday, February 23, 2019 18:31
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid 4.x: cache_peer PROXY_PROTOCOL support with squid parents


Currently we are working on Kerberos with Active Directory with Ha-proxy 
that
sends requests to squid using proxy_protocol.
Everything works great but we want to replace the ha-proxy with a squid.
In fact, we want to the squid client send the credentials information to a
squid parent in order to centralize ACLs on the parent proxy according to 
the user's login name.
If you have any suggestion ?

Best regards




-----Message d'origine-----
De : squid-users <squid-users-bounces at lists.squid-cache.org> De la part de
Amos Jeffries
Envoyé : samedi 23 février 2019 04:07
À : squid-users at lists.squid-cache.org
Objet : Re: [squid-users] Squid 4.x: cache_peer PROXY_PROTOCOL support with
squid parents

On 23/02/19 2:45 am, David Touzeau wrote:
> Hi,
>
>
>
> We would like to use this infrastructure:
>
>
>
> Squid-cache client authentication 1--------
>
>
>    | ----> Squid Parent with ACLs per user/LDAP groups/Web filtering
> ---> INTERNET
>
> Squid-cache client authentication 2 --------
>
>
>
>
>
> Currently this kind of infrastructure cannot be done because the Squid
> that acts as a client did not send credentials information to the
> parent proxy.
>

There are many types of "client authentication" that can exist in multiple
nested protocol layers:

* HTTP WWW-Auth* credentials

* HTTP Proxy-Auth* credentials

* TLS client X.509 certificate

* CONNECT tunnel Proxy-Auth*

* TCP connection-auth scheme credentials (NTLM, Negotiate)

* IPSEC key exchange

* EUI

* IDENT user name

Which one(s) are you talking about?


>
> We think it should be done if the cache_peer is compliance with
> PROXY_PROTOCOL rfc as the http_port is already compliance.
>

What are you thinking PROXY would be doing to help with the situation?

Keep in mind that the PROXY header needs to be sent before any other bytes
on the server connection. Which immediately limits the cases where any type
of client information is available.


>
> Do you have plans to add PROXY_PROTOCOL inside cache_peer feature ?
>
>

To whom are you addressing this question?


Cheers,
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list