[squid-users] Login/Pass from squid to Squid

Amos Jeffries squid3 at treenet.co.nz
Fri Nov 4 14:50:51 UTC 2016


On 4/11/2016 4:25 a.m., FredB wrote:
> 
>> Authentication credentials represent and verify the identity of your
>> proxy. That is a fixed thing so why would the credentials used to
>> verify
>> that static identity need to change?
> 
> 
> I'm only speaking about users identities, not something like cache_peer login=XXX 
> So each user must have is own ID 
> 
>>
>> NP: Proxy-auth is not related to the message itelf, but to the
>> transport
>> mechanism. Do not confuse the identity of the proxy/sender with the
>> traffic flowing through it from other sources.
> 
> Yes
> 
>>
>> That said, you can use request_header_add to add whatever headers you
>> like to upstream requests. Even proxy-auth headers. You just cant
>> easily
>> handle any 407 which result from that when the credentials are not
>> accepted. So the ACL you use better be 100% accurate when it matches.
> 
> Ah ok great, so maybe we can imagine something like this
> 
> If an acl match a specific address (eg 10.1.1.1) I put Authorization: BASIC Z3Vlc3Q6Z3Vlc3QxMjM= ?
> It's what I was talking about helper, maybe a separate program should be better for matching IP=USERNAME 
> 
> If there is many users the ACL will be very long and complex ... 
> 


Use "login=PASS" (exact string) on the cache_peer.

Along with an http_access check that uses an external ACL helper which
produces "OK user=X password=Y" for whatever credentials need to be sent.

NP: on older Squid that may be "pass=" instead of "password=".

Amos



More information about the squid-users mailing list