[squid-users] help setting up hierarchy

Alex Samad alex at samad.com.au
Tue Mar 17 05:19:44 UTC 2015


[snip]

>>>
>>> Config questions
>>> 1) how to I get user authentication to flow through
>>>   if a user requests from squid-a and it takes it from squid-b. I
>>> would like the user id's logged on both
>>>   if a user requests from new squid to either squid-a or squid-b. I
>>> would like the auth (which would be done on new-squid) to flow through
>>> to either squid-a or squid-b.
>
> This is not possible with NTLM authentication.
>
> NTLM is authenticating the TCP connection between client and proxy
> underneath the HTTP layer and has a complex handshake setting up
> security token per-connection with the DC server. The TCP connection
> outbound from the proxy is a different connection, and also is not from
> the client.
>
> Its possible with Negotiate/Kerberos or Basic auth. Even though
> Negotiate is also authenticating the TCP connection the handshake is
> simpler and the token can be relayed to the peer proxy.
>
> NP: Though be careful in an environment using NTLM. You may get
> Negotiate/NTLM tokens flowing around, which wont work any more than NTLM
> does.

Sounds like the simplest thing to do is turn on authentication on all
the boxes and allow then non auth access to each other


>
>
>> 2) how do I setup ICP to work properly
>
> Use HTCP for better HIT ratio with less false positives in HTTP/1.1.

Ta, i will have to have a read, does it work. any examples on how to setup?

>
>> 3) is the cache_peer to squid-a squid-b from new-squid type parent ?
>
> No. But to get the authentication to work you will need login=PASSTHRU
> parameter (and be using Basic or Negotiate/Kerberos).
what if I just want the authenticated user id to flow through. So the
authentication happen on the office squid and then it forward to the
DC squid, the dc squid can log the user name in the user field is that
possible ?

>
>> 4) do I need to allow ICP clients full access, this is the squid-a to
>> squid-b link ?
>
> You should not have to. However, it also should not matter - when the
> first proxy is doing auth you kow the traffic coming out of it is
> authenticated. Not doing auth twice is faster.

Is there a way to say any one attaching on port X doesn't need to be
authenticated but on port Y does.
My issues is that in the office I have a few eclipse users who had a
lot of problems with out previous proxy solution. they are setup to
use the office proxy in a nonauth way. but now I want to setup auth on
this squid box. I was thinking there could be a non auth port and a
auth port.

A


>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list