[squid-users] Authentication pass-through cache_peer
Amos Jeffries
squid3 at treenet.co.nz
Mon Nov 21 14:42:36 UTC 2016
On 22/11/2016 1:33 a.m., Eduardo Carneiro wrote:
> Hi all.
>
> Sorry if this is already answered here. But I couldn't find any clear tips
> about this topic.
>
> I'm using Squid 3.5.19 with dynamic content caching in a huge user base
> (almost 10.000). Due to the large number of requisitions, internet access is
> getting very slow.
FYI: first optimization should be removing NTLM. It doubles the number
of HTTP messages required for clients to do anything, and requires the
proxy to disable many HTTP performance features.
>
> So I decided to use cache_peer to balance the traffic between servers. Would
> be a basic environment. One child (that receive the requisitions of the
> users) and three parent servers in a cluster. The problem is the
> authentication.
>
> Today I use NTLM to authenticate my accesses (in a AD Win2008). I have read
> here, that Squid doesn't support ntlm pass-through between child -> parent
> servers.
Squid does support pass-through. Just use login=PASSTHRU in the child
proxy cache_peer lines.
What it doesn't support is using obsolete NTLM protocol to authenticate
_itself_ to parent proxies. (Yes NTLM was formally deprecated by MS in
April 2006).
>
> The question I have is: There is any way to send user authentication
> credentials of the child server to parent servers transparently? Without
> need to enter username and password in the browser authentication box?
cache_peer ... login=PASSTHRU
Required that the frontend proxy using this does not do authentication
itself. That is done solely by the peer receiving the credentials.
HTH
Amos
More information about the squid-users
mailing list