[squid-users] SquidNT cache_peer authentication/encryption/failover

From: y_o_u <josh.smith_at_plumbest.com>
Date: Mon, 16 Mar 2009 08:34:44 -0700 (PDT)

Hi everyone,

Here is my goal:
I would like for my laptop users to be routed through my public squid proxy
so that when they are anywhere, including in a hotel/coffee shop/etc, their
traffic is coming through us.
 
After asking around and researching some options, one interesting option
includes using squid in a way I had never thought of.

The setup I saw had one Squid server as a standard Internet facing proxy
server (nothing special about that). The interesting thing was they also had
installed Squid locally on the laptop clients and ran Squid using the
cache_peer option to forward all traffic to the standard Squid server (this
is somewhat guesswork because the setup I saw is closed source, but I had
some clues that points me in this direction).

NOTE:
SquidNT (2.7.STABLE5 on server, 2.7.STABLE6 on clients) Windows XP SP3 on
clients Windows 2003 Server for server role Clients all have proxy settings
set to localhost on port 3128 Server is listening on port 80 This is an AD
domain, all settings pushed by GPO's.
Users running with user rights, and machines are fairly locked down (can't
touch the options in IE)
server- internet facing Squid server running normal proxy service
client- laptop computers running Squid and forwarding all requests to the
server using cache_peer

I have gotten both the Squid server and Squid client up and running, with a
few problems/questions.

1. I have the forwarding working in some manor. The problem I have is I have
the public facing server set up to require authentication. I have tried the
login=user:password option for cache_peer on the client side, still with no
luck. When looking at the the access logs on the server, the Squid client
isn't passing the credentials supplied to the Squid server (ie. see below)

1237037364.556 0 68.117.163.156 TCP_DENIED/407 1804 GET
http://yahoo.com/ - NONE/- text/html

2. I also am looking for an option in squid.conf that essentially says "if
you cant reach the cache_peer, then go direct for this query". Hopefully
this will resolve the problems I have been having in hot spots with captive
portals. I have looked at always_direct and never_direct, but after reading,
it doesn't look either of those are what I am looking for. I would expect
this to allow the authentication to the captive portal, but as soon as the
cache_peer was reachable, for all traffic to be redirected to it.

3. Lastly, I am interested in using SSL to encrypt the traffic going from
the client to the server. I am using the SSL version of SquidNT
(http://squid.acmeconsulting.it/download/squid-2.7.STABLE6-bin-SSL.zip), so
the options are available, I just have not found any good documentation on
how to set this up (specifically, what has to be configured on the server
side (the client settings seem pretty strait forward, the stuff I have found
is always for setting up SSL redirects/etc. for web servers using
acceleration mode).

If I need to provide any further information, please let me know. Thanks for
any help/suggestions, have a good one!
 
Josh
 
 
Before I came to trying Squid in this manor, here were other ways I tried to
proxy users sessions.
 
1. A simple proxy setting in Internet Explorer to point all traffic back
through the public proxy. This fails in the following way: Say a user is at
a hot spot with a captive portal that requires authentication. This sets it
up a problem where the browser cant get to the proxy server because of the
captive portal, and cant authenticate to the captive portal because of the
proxy settings (and bypass proxy server for local addresses wont work
because a lot of captive portals authenticate to non local addresses).
2. PAC files- I thought this was going to be the answer, but unfortunately
this leaves too many holes open. The problem is that when the user first
logs on to a hot spot, the browser cant talk to the proxy (because the user
isn't authenticated yet to the captive portal), so everything is direct
(unfiltered, not good). It takes the user having to close and then open the
browser again before the session would be directed to the proxy (again, not
good).

NOTE: All this is worthless is some situations, as some hot spots don't
allow proxy connections (even if they are going to a proxy on port 80).

Here is my client squid.conf (without commenting for brevity ;)
WELCOME TO SQUID 2.7.STABLE6
auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
auth_param ntlm children 5
auth_param ntlm keep_alive
onexternal_acl_type win_domain_group ttl=300 %LOGIN
c:/squid/libexec/mswin_check_lm_group.exe -G -c acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access allow all #this is for testing ONLY
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 3128
cache_peer squidserver.com parent 80 0 proxy-only no-query
hierarchy_stoplist cgi-bin ?
access_log c:/squid/var/logs/access.log squid
cache deny all
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apacheprefer_direct off
coredump_dir c:/squid/var/cache

-- 
View this message in context: http://www.nabble.com/SquidNT-cache_peer-authentication-encryption-failover-tp22540738p22540738.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Mon Mar 16 2009 - 15:34:49 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 17 2009 - 12:00:03 MDT