[squid-users] About Auth and Multiple Squid

From: Fernando Maior <fernando@dont-contact.us>
Date: Tue, 4 Nov 2003 14:47:25 -0300 (BRT)

Dear All,

I am running one instance of squid (2.5.STABLE4) that
requires users be authenticated against LDAP. This is
running fine as it should be, for more than six months.

But we are a network of branch offices and now it is
time to bring them together to access internet via
one only connection: at the main office.

I did try the following:

user -- squid 1 -- squid 2 -- internet
                      \
                       ldap

Squid1 was configured to listen to 3128 and not to
request user to authenticate, and to send requests
up to Squid2, who is configured already, and requires
user to authenticate against ldap. I configured my
Firebird to be proxyied by the Squid1, and try to
reach dear internet. Nope. It pops up the authentication
window everytime I click in the "OK" button, again and
again.

Squid1 log says (stripped of info at beggining of line):
UDP_MISS/000 43 ICP_QUERY http://www.novell.com/ - NONE/-
TCP_DENIED/407 1758 GET http://www.novell.com/ - NONE/- text/html

Squid2 log says:
TCP_MISS/407 1802 GET http://www.novell.com/ fernando
TIMEOUT_DEFAULT_PARENT/192.168.1.13 text/html
TCP_MISS/407 1802 GET http://www.novell.com/ fernando
TIMEOUT_DEFAULT_PARENT/192.168.1.13 text/html

Also, I did some searching for "squid authentication between
two proxies" on google and found an email that states that
you can not have two authenticating proxies on a line,
because it breaks http rules.

So, I wonder if it is possible and how to have a squid for
each branch and a main squid in our main office, and have
everybody authenticated against ldap.

I came to an idea I will expose to you for comments. I feel
the main problem is that everybody on our main office
authenticates thru Squid2. Well, if I put another Squid on
our main office and make all users authenticate against it,
and turn the actual Squid2 to a non-authenticated proxy, I
can have proxies on each branch office authenticating users
agains ldap. Like this:

Main office
user -- squid LAN -- squid WAN -- internet
            \
             ldap

Other offices
user -- squid LAN -- squid WAN -- internet
            \
             ldap

The main office squid LAN and squid WAN will be at the main
office. Other offices squid LAN will be local to the offices
and their squid WAN is the same of the main office.

Squid LANs will authenticate against LDAP, squid WAN will
not require authentication, acting as parent proxy for all
squid LAN proxies.

What do you think?

-- 
Bye,
Fernando Maciel Souto Maior
fernando@araujo.com.br
http://www.araujo.com.br
+55+31 3270-5886
LPIC-1!31908
Received on Tue Nov 04 2003 - 10:52:58 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:05 MST