[squid-users] Squid as Kerberos client?

Patrick Nick peedee.nick at gmail.com
Thu Mar 15 10:52:41 UTC 2018


Thanks Amos, this sounded promising. Unfortunately the behavior I observe
is not what I expect.
So I added the following config:

cache_peer my.company.webserver.net parent 8081 0 no-query
login=NEGOTIATE:myPrincipal

But now squid still does not do the SPNEGO negotiation. I can see in the
logs that it connects to the specified "parent" cache_peer, which returns
"401 Unauthorized" as expected. But then squid just returns that to the
client instead of sending another request with the Kerberos ticket to
complete the negotiation.
Am I misunderstanding what's supposed to happen?
Or am I not configuring it right? (The keytab is readable by the squid user)

On Thu, Mar 15, 2018 at 9:44 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 15/03/18 11:01, Patrick Nick wrote:
> > It consumes the data for its graphs from a REST API via HTTP, on ports
> > in the 8000-9000 range.
> >
>
> Then you can use cache_peer from the proxy to the origin server. See the
> "AUTHENTICATION OPTIONS" section for how to send various types of
> credentials to that peer.
> <http://www.squid-cache.org/Doc/config/cache_peer/>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180315/0215bfd7/attachment.html>


More information about the squid-users mailing list