[squid-users] Kerberos authentication with multiple squids

森 隆聡 t-mori at acty-sys.co.jp
Tue Oct 12 08:33:40 UTC 2021


I made Single Sign On environment with AD+Squid and it worked fine.

[It works]
Client(Windows) -> Squid(CentOS) -> Internet

* Client is joined the domain and Squid configured Kerberos Authentication with AD.

But after add another squid, it didn't work.

[Not works]
Client -> Squid(No Auth.) ->  Squid(Kerberos Auth) ->Internet

I added two line below in squid.conf of 1st Squid(No Auth.) 
to relay authentication information.

---
cache_peer [host_of_second_squid] parent [port_no] 0 no-query login=PASSTHRU
never_direct allow all
---

I confirmed access.log of 1st Squid.
It seemed squid got 407 and challenged with credentials but failed.

---
"time=2021/10/12 15:46:23","un=-","credentials=-","host=[ip_of_first_squid]",
"src_ip=[ip_of_client_pc]","src_port=49776","dest_ip=-","dest_port=-",
"url=www.yahoo.co.jp:443","status=407","http_method=CONNECT"...

"time=2021/10/12 15:46:24","un=[user at domain]","credentials=KK (null)\n",
"host=[ip_of_first_squid]","src_ip=[ip_of_client_pc]","src_port=49776",
"dest_ip=[ip_of_second_squid]","dest_port=3128","url=www.yahoo.co.jp:443",
"status=407","http_method=CONNECT"....
---

I also tested with login=PASS and connection-auth=on but got same result.
I don't understand why authentication fails with relayed 
authentication information by "login=PASSTHRU"

Do I misundastand something or squid originally don't support 
multiple proxy those relay Kerberos authentication information?

For this question I referenced this mail of mailing list.
https://www.spinics.net/lists/squid/msg85519.html

I submitted a question with images to stackoverflow.
https://stackoverflow.com/questions/69536317/is-it-possible-to-pass-kerberos-credentials-between-multiple-squids

I would appreciate it if you could point out any points you noticed.

Regards,




More information about the squid-users mailing list