RE: [squid-users] Reverse proxy with LDAP authentication

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 23 Sep 2008 11:34:02 +1200 (NZST)

>> -----Original Message-----
>> From: Henrik Nordstrom [mailto:henrik_at_henriknordstrom.net]
>> Sent: Friday, September 19, 2008 2:31 PM
>> To: Andrew Struiksma
>> Cc: 'squid-users_at_squid-cache.org'
>> Subject: Re: [squid-users] Reverse proxy with LDAP authentication
>>
>> On fre, 2008-09-19 at 13:04 -0700, Andrew Struiksma wrote:
>> > We have a company intranet server running Apache2 on Debian 4.
>> > Currently it is only available on our LAN. We would like to make it
>> > available outside our LAN. However, we want users to have to
>> > authenticate against our Active Directory when they are coming from
>> > the outside. Once they have authenticated, they should have full
>> > access to the internal website. Is this something that Squid can do?
>>
>> Yes, with some limitations.
>>
>> The limitation is that there is only one authentication slot
>> in HTTP, so if the web server also uses HTTP authentication
>> then it needs to use the exact same authentication (basic
>> authentication to the same password backend), or you need to
>> set up a special authentication peering between the two (see
>> the login= cache_peer option).
>>
>>
>> Note: If the web server is only using cookie based forms
>> authentication then there is nothing to worry about.
>
> The main website used form based cookie authentication but can also use
> HTTP authentication. Is there a sample squid.conf on how to perform the
> reverse proxy + AD authentication?
>
> Thanks for the info.
>
> Andrew
>

Accelerator mode uses the WWW-Authentication headers for auth just like
any web server would. To pass it back further to the real webserver the
cache_peer gets a small tweak:

http://wiki.squid-cache.org/SquidFaq/ReverseProxy#head-c59962b21bb8e2a437beb149bcce3190ee1c03fd

Amos
Received on Mon Sep 22 2008 - 23:34:07 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 23 2008 - 12:00:02 MDT