On Tue, 17 Aug 2010 14:00:57 -0500, "Dean Weimer" <dweimer_at_orscheln.com>
wrote:
> I know when using squid as an intercept proxy it can't do authentication
> as the clients don't know it's there, but do any of you out there know
if
> you can use it with a parent proxy that requires authentication?
>
> The specific scenario I am considering is Squid in DMZ with WCCPv2 used
in
> conjunction with a Cisco ASA 5520 firewall and an external (Websense
> filtering) proxy that requires authentication, both NTLM and basic
> authentication is supported.
>
> Clients
> |
> Cisco ASA5520 -WCCPv2- Squid 3.1.6 (In DMZ) -- Secondary Internet
> Connection -- Parent Proxy Service
> |
> Internet
>
> We are currently using auto-detect, but continually keep running into
> applications that don't recognize auto-detect, or sometimes don't even
have
> the ability to read a configuration script. I am trying to come up with
a
> way to alleviate the user's issues, without losing our local cache. And
> keeping the HR and Legal departments happy by continuing to filter
websites
> with content that some could find offensive, as well as blocking unsafe
> (malware/spyware) websites.
1) IF the client thinks its talking to the parent proxy. cache_peer
login=PASS (or login=PASSTHRU) will pass on the credentials without
requiring auth within Squid.
2) IF Squid itself needs to login to the parent. cache_peer login= with
username:password will insert the given login to relayed requests.
NP: Older Squid only allow Basic auth protocol credentials to be added
this way. 3.2 brings the ability to do Negotiate/Kerberos as well. NTLM
remains a sticky problem.
This login= is only relevant once on a cache_peer entry. So its one or the
other can be used at once. #2 is probably better/simpler for you since the
clients are not involved in the auth process.
Hope this helps.
Amos
Received on Wed Aug 18 2010 - 02:21:19 MDT
This archive was generated by hypermail 2.2.0 : Wed Aug 18 2010 - 12:00:03 MDT