[squid-users] Squid 4.x: cache_peer PROXY_PROTOCOL support with squid parents

Amos Jeffries squid3 at treenet.co.nz
Sat Feb 23 03:06:59 UTC 2019


On 23/02/19 2:45 am, David Touzeau wrote:
> Hi,
> 
>  
> 
> We would like to use this infrastructure:
> 
>  
> 
> Squid-cache client authentication 1-------- 
> 
>                                                                               
>    | ----> Squid Parent with ACLs per user/LDAP groups/Web filtering
> ---> INTERNET
> 
> Squid-cache client authentication 2 --------
> 
>  
> 
>  
> 
> Currently this kind of infrastructure cannot be done because the Squid
> that acts as a client did not send credentials information to the parent
> proxy.
> 

There are many types of "client authentication" that can exist in
multiple nested protocol layers:

* HTTP WWW-Auth* credentials

* HTTP Proxy-Auth* credentials

* TLS client X.509 certificate

* CONNECT tunnel Proxy-Auth*

* TCP connection-auth scheme credentials (NTLM, Negotiate)

* IPSEC key exchange

* EUI

* IDENT user name

Which one(s) are you talking about?


> 
> We think it should be done if the cache_peer is compliance with
> PROXY_PROTOCOL rfc as the http_port is already compliance.
> 

What are you thinking PROXY would be doing to help with the situation?

Keep in mind that the PROXY header needs to be sent before any other
bytes on the server connection. Which immediately limits the cases where
any type of client information is available.


> 
> Do you have plans to add PROXY_PROTOCOL inside cache_peer feature ?
> 
>  

To whom are you addressing this question?


Cheers,
Amos


More information about the squid-users mailing list