[squid-users] squid 3.3.x, SPNEGO and hostnames

From: Eugene M. Zheganin <emz_at_norma.perm.ru>
Date: Fri, 19 Jul 2013 17:24:44 +0600

Hi.

I'm moving some of my caches to 3.3.x (from 3.1.x and 3.2.x).
I'm using SPNEGO on some (along with kerberos_ldap_group helper).
I noticed an important behaviour change comparing to the 3.1.x and 3.2.x:
- squid 3.3.x requires the visible_hostname to be set to the kerberos
ticket principal he's using for SPNEGO
- squid 3.3.x requires the hostname of the proxy in the browser to be set
- squid 3.3.x requires the hostname of the proxy in the browser to be
exactly the same as kerberos principal in the ticket

If any of these conditions aren't met, the authentication fails. If
these conditions are met, the authentication functions as in the
previous versions (my caches are running same configs with minor
alterations). But I find those requirements a bit uncomfortable.

When SPNEGO isn't used, these requirements aren't needed.

Is this a feature or I'm hitting some bug ?

Thanks.
Eugene.
Received on Fri Jul 19 2013 - 11:24:55 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 19 2013 - 12:00:24 MDT