[squid-users] squid 4/5 feature request send login informations to peers
Amos Jeffries
squid3 at treenet.co.nz
Tue Nov 17 10:43:57 UTC 2020
On 17/11/20 9:27 pm, David Touzeau wrote:
>
> Hi,
>
> We a first Squid using Kerberos + Active Directory authentication.
> This first squid is used to limit access using ACls and Active Directory
> groups.
>
> This first squid using parents as peer in order to access to internet in
> this way:
>
> | --------> SQUID B ----------> Internet 1
> squid A ------------->
> | ---------> SQUID C ---------> Internet 2
>
> 1) We want using ACLs too ( for delegation purpose ) on Squid B and C
> 2) For legal logs purpose compliance.
>
> In this case, the username discovered in SQUIDA must be transmitted to
> SQUID B AND C and SQUID B-C must accept the information in order to use
> as login information to parse acls
>
> Is it possible ?
You can send the username. But the security token is tied to the
client<->SquidA TCP connection - it cannot be validated by other servers
than SquidA.
This should not matter though. Since Squid A is only permitting
authenticated traffic you can *authorize* at Squid B and C based only on
the source being one of your Squid with valid username.
>
> If not: wee have seen that the Proxy protocol accept to transmit the
> source IP/login information to peers that are compliance with proxy
> protocol.
> but the peers method in squid did not allow to use Proxy protocol.
> Is it possible to add the "Proxy Protocol" support in peers method ?
>
It is possible to implement (for Squid-6 earliest) PROXYv2 for
cache_peer. But the credentials security token remains tied to SquidA
service.
Amos
More information about the squid-users
mailing list