[squid-users] Squid 5.0.3 Cache_Peer Authentication Issue

Paul at pjb.org.uk Paul at pjb.org.uk
Thu Jan 7 19:43:17 UTC 2021 

Hello,

I am currently using Squid 5.0.3 but have an issue when using a cache_peer (non-squid &  
outside my control) that requires authentication.  My Squid server doesn't require 
authentication and reading the documentation indicated that I need to set 
'login=PASSTHRU' on my cache_peer line, which I have done.  This has enabled GET 
methods to work as expected, but CONNECT methods are failing.  The response from the 
peer is a '407' with both methods. 

I am controlling access to the peer via an acl:
---------------
acl localClients src 10.10.1.0/24
http_access allow localClients

acl aclREDIRECT dstdomain "/etc/squid/redirect.txt"
cache_peer 10.10.10.167 parent 8080 0 no-query name=peerREDIRECT login=PASSTHRU 
connection-auth=on
cache_peer_access peerREDIRECT allow aclREDIRECT
cache_peer_access peerREDIRECT deny !aclREDIRECT
never_direct allow aclREDIRECT
always_direct deny aclREDIRECT
always_direct allow all

http_port 80 connection-auth=on
---------------


An extract from my logs showing the failure:
---------
kid1| 5,3| IoCallback.cc(112) finish: called for conn30 local=10.10.10.60:41270 
remote=10.10.10.167:8080 FIRSTUP_PARENT FD 17 flags=1 (0, 0)
kid1| 5,3| Read.cc(93) ReadNow: conn30 local=10.10.10.60:41270 
remote=10.10.10.167:8080 FIRSTUP_PARENT FD 17 flags=1, size 65535, retval 978, 
errno 0
kid1| 11,2| HttpTunneler.cc(323) handleResponse: Tunnel Server conn30 
local=10.10.10.60:41270 remote=10.10.10.167:8080 FIRSTUP_PARENT FD 17 flags=1
kid1| 11,2| HttpTunneler.cc(326) handleResponse: Tunnel Server RESPONSE:
---------
<HEAD><TITLE>Proxy Authorization Required</TITLE></HEAD>
<BODY BGCOLOR="white" FGCOLOR="black"><H1>Proxy Authorization 
Required</H1><HR>
<FONT FACE="Helvetica,Arial"><B>
Description: Authorization is required for access to this proxy</B></FONT>
<HR>
<!-- default "Proxy Authorization Required" response (407) -->----------
kid1| 83,3| HttpTunneler.cc(345) bailOnResponseError: unsupported CONNECT response 
status code [state:w FD 17 job22]
kid1| TCP connection to 10.10.10.167/8080 failed
    current master transaction: master57
kid1| 83,5| HttpTunneler.cc(404) callBack: conn30 local=10.10.10.60:41270 
remote=10.10.10.167:8080 FIRSTUP_PARENT FD 17 flags=1 [state:w FD 17 job22]
--------------

Is this a mis-configuration? or have I mis-understood how cache_peer works?

regards,
Paul

More information about the squid-users mailing list