Yes, you are still inside the firewall with no direct connection to the
Internet.
The FAQ entry applies to all sibling or child caches.
Regards
Henrik
mån 2003-02-17 klockan 00.43 skrev Chris Vaughan:
> I should point out that this is the layout of the proxies and the firewall:
>
> sibling <=====> parent <=====> firewall <=====> internet
> cache cache
>
> Is section 4.8 of the F.A.Q. still relevant in this instance?
>
> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> Sent: Monday, 17 February 2003 9:48 AM
> To: Chris Vaughan
> Subject: Re: [squid-users] NTLM authentication in Cache Hierachy
>
>
> 4.8 How do I configure Squid to work behind a firewall?
>
>
> Chris Vaughan wrote:
> >
> > Our firewall is a separate device which the proxy server is allowed access
> > through. What part of the F.A.Q. so you refer to?
> >
> > -----Original Message-----
> > From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> > Sent: Friday, 14 February 2003 8:47 PM
> > To: Chris Vaughan
> > Subject: Re: [squid-users] NTLM authentication in Cache Hierachy
> >
> > In such case you need to see the Squid FAQ on how to use Squid within a
> > proxy based firewall.. (hierachy_stoplist is not the correct directive
> > to change).
> >
> > Regards
> > Henrik
> >
> > Chris Vaughan wrote:
> > >
> > > Thanks,
> > >
> > > I also found that in our situation it was not appropriate to include a
> > > hierachy_stoplist statement, as only our parent caches have access
> through
> > > our firewall.
> > >
> > > -----Original Message-----
> > > From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> > > Sent: Friday, 14 February 2003 12:20 PM
> > > To: Chris Vaughan
> > > Cc: 'squid-users@squid-cache.org'
> > > Subject: Re: [squid-users] NTLM authentication in Cache Hierachy
> > >
> > > The browser can only authenticate to the first proxy. This is a
> > > limitation of the HTTP protocol. It is then the responsibility of this
> > > proxy to authenticate to any upstream proxy if required.
> > >
> > > When using Basic HTTP authentication you can chain the authentication on
> > > multiple proxies IFF all of them shares the same password database. See
> > > the cache_peer login= option. This also works for Digest if the first
> > > proxy is not doing any authentication, but cannot be used for proxying
> > > the NTLM authentication scheme.
> > >
> > > If using NTLM of Digest scheme on the first proxy you cannot forward the
> > > authentication of the client to the upstream proxy. Your alternatives
> > > are then to either
> > >
> > > a) Reconfigure the upstream to allow requests from the sibling without
> > > requiring authentication
> > >
> > > b) Use the login= cach_peer option on the sibling to specify which
> > > user the sibling should authenticate as to the upstream proxy.
> > >
> > > Regards
> > > Henrik
> > >
> > > Chris Vaughan wrote:
> > > >
> > > > Greetings.
> > > >
> > > > I am trying to authenticate from a sibling cache using ntlm, sending
> > > > requests out through a parent.
> > > >
> > > > If the parent uses NCSA auth, the sibling serves back pages that
> cannot
> > be
> > > > navigated due to authentication failures.
> > > >
> > > > If the parent is also using ntlm, then a password/userid prompt, that
> > will
> > > > not accept any input, appears.
> > > >
> > > > Any Ideas?
> > > >
> > > > ***************************************************************
> > > > This message is intended for the addressee named and
> > > > may contain confidential information. If you are not the
> > > > intended recipient, please delete it and notify the sender.
> > > > Views expressed in this message are those of the
> > > > individual sender, and are not necessarily the views of the
> > > > Department of Information Technology & Management.
> > > >
> > > > This email message has been swept by MIMEsweeper
> > > > for the presence of computer viruses.
> > > > ***************************************************************
-- Henrik Nordstrom <hno@squid-cache.org> MARA Systems AB, SwedenReceived on Mon Feb 17 2003 - 04:50:05 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:25 MST