[squid-users] squid 4/5 feature request send login informations to peers

Amos Jeffries squid3 at treenet.co.nz
Tue Nov 17 10:43:57 UTC 2020

On 17/11/20 9:27 pm, David Touzeau wrote:
> Hi,
> We a first Squid using Kerberos + Active Directory authentication.
> This first squid is used to limit access using ACls and Active Directory 
> groups.
> This first squid using parents as peer in order to access to internet in 
> this way:
>                               | --------> SQUID B ----------> Internet 1
> squid A ------------->
>                               | ---------> SQUID C ---------> Internet 2
> 1) We want using ACLs too ( for delegation purpose ) on Squid B and C
> 2) For legal logs purpose compliance.
> In this case,  the username discovered in SQUIDA must be transmitted to 
> SQUID B AND C and SQUID B-C must accept the information in order to use 
> as login information to parse acls
> Is it possible ?

You can send the username. But the security token is tied to the 
client<->SquidA TCP connection - it cannot be validated by other servers 
than SquidA.

This should not matter though. Since Squid A is only permitting 
authenticated traffic you can *authorize* at Squid B and C based only on 
the source being one of your Squid with valid username.

> If not: wee have seen that the Proxy protocol accept to transmit the 
> source IP/login information to peers that are compliance with proxy 
> protocol.
> but the peers method in squid did not allow to use Proxy protocol.
> Is it possible to add the "Proxy Protocol" support in peers method ?

It is possible to implement (for Squid-6 earliest) PROXYv2 for 
cache_peer. But the credentials security token remains tied to SquidA 


More information about the squid-users mailing list