[squid-users] Authentication pass-through cache_peer
Eduardo Carneiro
eduardoocarneiro at gmail.com
Mon Nov 21 15:17:53 UTC 2016
Amos Jeffries wrote
> On 22/11/2016 1:33 a.m., Eduardo Carneiro wrote:
>> Hi all.
>>
>> Sorry if this is already answered here. But I couldn't find any clear
>> tips
>> about this topic.
>>
>> I'm using Squid 3.5.19 with dynamic content caching in a huge user base
>> (almost 10.000). Due to the large number of requisitions, internet access
>> is
>> getting very slow.
>
> FYI: first optimization should be removing NTLM. It doubles the number
> of HTTP messages required for clients to do anything, and requires the
> proxy to disable many HTTP performance features.
>
>>
>> So I decided to use cache_peer to balance the traffic between servers.
>> Would
>> be a basic environment. One child (that receive the requisitions of the
>> users) and three parent servers in a cluster. The problem is the
>> authentication.
>>
>> Today I use NTLM to authenticate my accesses (in a AD Win2008). I have
>> read
>> here, that Squid doesn't support ntlm pass-through between child ->
>> parent
>> servers.
>
> Squid does support pass-through. Just use login=PASSTHRU in the child
> proxy cache_peer lines.
>
> What it doesn't support is using obsolete NTLM protocol to authenticate
> _itself_ to parent proxies. (Yes NTLM was formally deprecated by MS in
> April 2006).
>
>>
>> The question I have is: There is any way to send user authentication
>> credentials of the child server to parent servers transparently? Without
>> need to enter username and password in the browser authentication box?
>
> cache_peer ... login=PASSTHRU
>
> Required that the frontend proxy using this does not do authentication
> itself. That is done solely by the peer receiving the credentials.
>
> HTH
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at .squid-cache
> http://lists.squid-cache.org/listinfo/squid-users
Thanks for the answers.
So, Amos, if I to use Negotiate/Kerberos or any basic auth, the PASSTHRU
parameter will works for my purpose. That's right?
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Authentication-pass-through-cache-peer-tp4680587p4680590.html
Sent from the Squid - Users mailing list archive at Nabble.com.
More information about the squid-users
mailing list