Re: [squid-users] cache_peer - multiple ones

From: Amos Jeffries <squid3@dont-contact.us>
Date: Thu, 03 May 2007 23:01:45 +1200

Gareth Edmondson wrote:
> Henrik Nordstrom wrote:
>> tis 2007-05-01 klockan 23:41 +0100 skrev Gareth Edmondson:
>>
>>
>>> Thanks for the advice here. I read about this name= option earlier in
>>> the archives - but I got the impression from previous posters that it
>>> was in version 3 of squid and not the stable version that ships with
>>> Debian Etch. The stable version is 2.6.5-6.
>>>
>>
>> It's in 2.6 and later.
>>
>>
>>> cache_peer_access sslproxy allow CONNECT
>>> cache_peer_access sslproxy deny all
>>> cache_peer_access <original upstream name> deny CONNECT
>>> cache_peer_access <original upstream name> allow all
>>>
>>> I'm not sure they are in the right order.
>>>
>>
>> Looks fine.
>>
>> order of cache_peer_access is important, but only per peer. The order of
>> the peers is not important.
>>
>>
>>>>> Everything seems to be working. However when we try and connect to
>>>>> the 443 website it challenges us again for the AD username and
>>>>> password. Upon entering this the browser challenges us again and
>>>>> again and again - simply not letting us through.
>>>>>
>>
>> One more thing, have you added trust between Squid and the peer for
>> forwarding of proxy authentication? See the login option to cache_peer.
>>
>> Regards
>> Henrik
>>
>>
> Here is an extract of my access.log file - what is the difference
> between a HIT and a MISS in this scenario?
>
> 1178111113.463 0 127.0.0.1 TCP_HIT/200 506 GET
> http://communities.rm.com/forums/skins/communities/images/message_gradient_header.gif
> - NONE/- image/gif
> 1178111113.515 53 127.0.0.1 TCP_MISS/404 1952 GET
> http://communities.rm.com/favicon.ico -
> DEFAULT_PARENT/webcluster.education.swansea.sch.uk text/html
> 1178111115.152 111 127.0.0.1 TCP_MISS/302 1302 GET
> http://communities.rm.com/forums/member/default.aspx -
> DEFAULT_PARENT/webcluster.education.swansea.sch.uk text/html
> 1178111115.198 3 127.0.0.1 TCP_MISS/000 3112 CONNECT
> communities.rm.com:443 - DEFAULT_PARENT/proxyssl -
> 1178111118.229 3 127.0.0.1 TCP_MISS/000 3112 CONNECT
> communities.rm.com:443 - DEFAULT_PARENT/proxyssl -
> 1178111121.481 3 127.0.0.1 TCP_MISS/000 3112 CONNECT
> communities.rm.com:443 - DEFAULT_PARENT/proxyssl -
>
> You can see clearly where I have attempted to access a 443 website - yet
> it still asks me to authenticate against the AD with my username and
> password. The problem must lie with my authentication modules.
>
> GJE

Ah, check your squid.conf very carefully.
The acl are checked in order and if any of the acl before the
'http_access allow CONNECT' or 'http_access allow SSL_Ports' requires
auth, then the auth will be checked for.

To get CONNECT out without auth you will need to configure any acl with
auth _after_ the allow CONNECT.

Amos
Received on Thu May 03 2007 - 05:01:50 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:04 MDT