[squid-users] squid 4/5 feature request send login informations to peers

David Touzeau david at articatech.com
Thu Nov 19 17:17:01 UTC 2020 

Thanks Amos

You means using "login=PASS" in peer settings and in Proxy parent B and 
C use the "basic_fake_auth" helper to "simulate" the requested auth ?



Le 17/11/2020 à 11:43, Amos Jeffries a écrit :
> On 17/11/20 9:27 pm, David Touzeau wrote:
>>
>> Hi,
>>
>> We a first Squid using Kerberos + Active Directory authentication.
>> This first squid is used to limit access using ACls and Active 
>> Directory groups.
>>
>> This first squid using parents as peer in order to access to internet 
>> in this way:
>>
>>                               | --------> SQUID B ----------> Internet 1
>> squid A ------------->
>>                               | ---------> SQUID C ---------> Internet 2
>>
>> 1) We want using ACLs too ( for delegation purpose ) on Squid B and C
>> 2) For legal logs purpose compliance.
>>
>> In this case,  the username discovered in SQUIDA must be transmitted 
>> to SQUID B AND C and SQUID B-C must accept the information in order 
>> to use as login information to parse acls
>>
>> Is it possible ?
>
> You can send the username. But the security token is tied to the 
> client<->SquidA TCP connection - it cannot be validated by other 
> servers than SquidA.
>
> This should not matter though. Since Squid A is only permitting 
> authenticated traffic you can *authorize* at Squid B and C based only 
> on the source being one of your Squid with valid username.
>
>
>>
>> If not: wee have seen that the Proxy protocol accept to transmit the 
>> source IP/login information to peers that are compliance with proxy 
>> protocol.
>> but the peers method in squid did not allow to use Proxy protocol.
>> Is it possible to add the "Proxy Protocol" support in peers method ?
>>
>
> It is possible to implement (for Squid-6 earliest) PROXYv2 for 
> cache_peer. But the credentials security token remains tied to SquidA 
> service.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20201119/8dffa5f1/attachment.htm>

More information about the squid-users mailing list