Re: [squid-users] cache_peer login option

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 23 Dec 2004 01:03:18 +0100 (CET)

On Wed, 22 Dec 2004, John Morton wrote:

> I'm looking at a way to hack around the problem of only being able to define
> one redirector per squid server by setting up a pair of servers

You can chain any number of redirectors. Search for Open2 in the archives.

If you need acl policies after redirection then it's another story.

> The objective is to be able to run both squidguard and adzapper, each with
> opt-out groups for sets of proxy_auth users that are orthogonal.

With a small wrapper having knowledge of the opt-out groups this shouldn't
be too hard.

> on the child server, and have it propagate the user name information back to
> the parent using the login=*:password option, and have the parent server run
> adzapper for everyone not in the opt out group.

Alternatively you can use login=PASS and have configuration configured the
same on both (assumes Basic authentication).

> My guess is that the parent will need an external authenticator that
> will validate any user if the correct password is supplied, but will
> only allow access to the child proxy(s). Does that sound right?

Yes. When using the login=*:password approach then Squid will use
"password" as the password for all users when forwarding the request.

You should take care to only allow requests from the child cache IP in
such configurations.

> Are there any standard authenticators that come with squid for this
> task?

The ncsa_auth helper is somewhat reasonable, using a local file (created
by htpasswd). Or you can whip up your own just looking at the static
password, i.e. something like the following:

#!/bin/sh
while read user password; do
   if [ "$password" = "thesecretpassword" ]; then
     echo "OK"
   else
     echo "ERR"
   fi
done

Regards
Henrik
Received on Wed Dec 22 2004 - 17:03:21 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:02 MST