Re: [squid-users] forwarding domain requests with login

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 28 Mar 2002 16:11:19 +0100

Van Bossche Koen wrote:

> 1/ requests from different users for specific domains being forwarded to
> other proxy as user kaiweb. All other requests going to the default parent
> to the internet with normal defined acl's.

This you do by dstdomain and cache_peer_access.

> 2/ this other proxy (only being used for this purpose) does not
> authenticate kaiweb and allows this user to go everywhere on the internet

You cannot have users without authentication.

> It is important users do not see this account, so cannot abuse internet
> access using it.

The "login=..." accounts are not visible to the end user, unless the peer
generates an error message mentioning the user name..

> I have been playing around with it and do not get it working properly.
> Forwarding to an other proxy using kaiweb for specific domains does not
> work. I assume using cache_peer login=user:pass means one of the 2 proxies
> still have to authenticate. I also found I cannot use smb_auth on the one
> proxy and ntlm_auth on the other, so it would be smb_auth on both.

The one doing user based access controls needs to authenticate if you want to
use user based access control.

> I have it configured like this and it does not forward anything to the
> other proxy for the specific domains. Probably I am overlooking something.
> On the parent proxy I have configured port 8888 and authentication required
> disabled.
> On the proxy the users are connecting, I have :
> cache_peer 138.249.161.5 parent 8888 0 proxy-only no-query no-digest
> no-netdb-exchange login=kaiweb:pass
> cache_peer 138.249.118.136 parent 8080 8081 no-digest no-netdb-exchange
>
> acl course dstdomain "/etc/squid/coursedomains"
> acl internetacl proxy_auth REQUIRED
> acl courseusr proxy_auth "/var/squid/auth/course-users"
>
> cache_peer_access 138.249.161.5 allow course courseusr
> cache_peer_access 138.249.118.136 allow course !courseusr

Not entirely sure what your goal is with the above. Looks odd.. and most
likely won't work as requests matching "course" do not require proxy_auth in
your http_access rules below, and I do not think cache_peer_access can
trigger a request for authentication.

> http_access allow course
> http_access allow courseusr
> http_access allow internetacl

Why do you have both courseusr and internetacl here?? What is not matched by
courseusr will be matched by internetacl.

> http_access deny all
> never_direct allow all
> prefer_direct off
>
> I have no errors but the forwarding to the other proxy does not work. Any
> suggestions what I might be doing wrong?

I think you need to review your cache_peer_access and http_access rules.
These clearly are not entirely correct.

You did not mention the authentication requirements for the first proxy so I
don't know what your intentions is here.

Regards
Henrik Nordström
Received on Thu Mar 28 2002 - 08:11:23 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:10 MST