[squid-users] can squid handle indirect request from clients ?

snakeeyes ahmed.zaeem at netstream.ps
Wed Feb 18 02:02:19 UTC 2015


Hi Amos,

Lets forget the authentication now  I don’t need it now  I will use the ACL Rules on squid only

Wt I need to configure squid so that it handle requests from HAproxy ?


Note that I see traffic in tcpdump , but no log in access.log 

cheers

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Amos Jeffries
Sent: Monday, February 16, 2015 5:24 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] can squid handle indirect request from clients ?

On 17/02/2015 11:21 p.m., snakeeyes wrote:
> Hi Guys,
> 
> I wanted to ask .
> 
>  
> 
> If I have as topology below :
> 
>  
> 
>  
> 
> Client====>(HAPRoxy  or redirector )==>squid with ACLs & basic ncsa 
> authentication
> 
>  
> 
> The client when it ask google.com
> 
> It will passs thorugh the HAproxy , and it will direct the request to 
> the squid
> 
>  
> 
> Example =>
> 
> Client go to google.com:80 , the HPA proxy will send it 
> google.com:3128 to the ip of squid.
> 

So google are hosting their public web services on port 3128 now? I very much doubt that.

Perhapse you are using HAproxy to receive remotely NAT'ed traffic because it does not complain like Squid?
 If so; the NAT lies are still there, just not being *mentioned* by the HAproxy receiver. Them Squid complaints are designed to protect the *entire Internet* (your LAN included) against NAT system misconfiguration problems.



> 
> How let squid handle this task ???
> 
> I trid to to do natting any port 80 ==>3128  , but it failed !!!
> 

Yeah. Dont do that.

> Any suggestion ? or  even is it possible ?
> 
> Not I have ACLS and authentication @ squid , will it work ???
> 

Chaining proxies is perfectly fine in HTTP. You just have to know how the HTTP auth framework operates.

 - WWW-Auth* headers are about user accessing the origin server resources.

 - Proxy-Auth* headers are about a client accessing a proxy.

The small difference in meaning between "client" (the initiating endpoint of a TCP connection) and "user" (the person using some device) matters a lot here.

So...

On the HAproxy->Squid connection, the client is *HAproxy*. Any Proxy-Auth credentials received are considered by Squid to belong to HAProxy itself. Where HAProxy gets them is its own business.

   But be clear, there is no "user" to Squid,
   just a client and that is _HAproxy_ in this setup.

So to perform auth in this setup all you need is to be able to configure HAProxy to send the right credentials on each request. Since HTTP has stateless auth they can be different client credentials representing some different "user" for each request if you want that.

Contact the HAProxy support for help on how to configure it to send credentials to Squid.


NP: if you have Squid-3.5 you can use the PROXY protocol between HAproxy and Squid to relay the end-client TCP connection details down the chain far better than X-Forwarded-For.

Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list