[squid-users] squid 4/5 feature request send login informations to peers
David Touzeau
david at articatech.com
Thu Nov 19 17:17:01 UTC 2020
Thanks Amos
You means using "login=PASS" in peer settings and in Proxy parent B and
C use the "basic_fake_auth" helper to "simulate" the requested auth ?
Le 17/11/2020 à 11:43, Amos Jeffries a écrit :
> On 17/11/20 9:27 pm, David Touzeau wrote:
>>
>> Hi,
>>
>> We a first Squid using Kerberos + Active Directory authentication.
>> This first squid is used to limit access using ACls and Active
>> Directory groups.
>>
>> This first squid using parents as peer in order to access to internet
>> in this way:
>>
>> | --------> SQUID B ----------> Internet 1
>> squid A ------------->
>> | ---------> SQUID C ---------> Internet 2
>>
>> 1) We want using ACLs too ( for delegation purpose ) on Squid B and C
>> 2) For legal logs purpose compliance.
>>
>> In this case, the username discovered in SQUIDA must be transmitted
>> to SQUID B AND C and SQUID B-C must accept the information in order
>> to use as login information to parse acls
>>
>> Is it possible ?
>
> You can send the username. But the security token is tied to the
> client<->SquidA TCP connection - it cannot be validated by other
> servers than SquidA.
>
> This should not matter though. Since Squid A is only permitting
> authenticated traffic you can *authorize* at Squid B and C based only
> on the source being one of your Squid with valid username.
>
>
>>
>> If not: wee have seen that the Proxy protocol accept to transmit the
>> source IP/login information to peers that are compliance with proxy
>> protocol.
>> but the peers method in squid did not allow to use Proxy protocol.
>> Is it possible to add the "Proxy Protocol" support in peers method ?
>>
>
> It is possible to implement (for Squid-6 earliest) PROXYv2 for
> cache_peer. But the credentials security token remains tied to SquidA
> service.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20201119/8dffa5f1/attachment.htm>
More information about the squid-users
mailing list