[squid-users] squid 4/5 feature request send login informations to peers
Thanks Amos You means using "login=PASS" in peer settings and in Proxy parent B and C use the "basic_fake_auth" helper to "simulate" the requested auth ? Le 17/11/2020 à 11:43, Amos Jeffries a écrit : On 17/11/20 9:27 pm, David Touzeau wrote: Hi, We a first Squid using Kerberos + Active Directory authentication. This first squid is used to limit access using ACls and Active Directory groups. This first squid using parents as peer in order to access to internet in this way: | > SQUID B --> Internet 1 squid A -> | -> SQUID C -> Internet 2 1) We want using ACLs too ( for delegation purpose ) on Squid B and C 2) For legal logs purpose compliance. In this case, the username discovered in SQUIDA must be transmitted to SQUID B AND C and SQUID B-C must accept the information in order to use as login information to parse acls Is it possible ? You can send the username. But the security token is tied to the client<->SquidA TCP connection - it cannot be validated by other servers than SquidA. This should not matter though. Since Squid A is only permitting authenticated traffic you can *authorize* at Squid B and C based only on the source being one of your Squid with valid username. If not: wee have seen that the Proxy protocol accept to transmit the source IP/login information to peers that are compliance with proxy protocol. but the peers method in squid did not allow to use Proxy protocol. Is it possible to add the "Proxy Protocol" support in peers method ? It is possible to implement (for Squid-6 earliest) PROXYv2 for cache_peer. But the credentials security token remains tied to SquidA service. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 4/5 feature request send login informations to peers
On 17/11/20 9:27 pm, David Touzeau wrote: Hi, We a first Squid using Kerberos + Active Directory authentication. This first squid is used to limit access using ACls and Active Directory groups. This first squid using parents as peer in order to access to internet in this way: | > SQUID B --> Internet 1 squid A -> | -> SQUID C -> Internet 2 1) We want using ACLs too ( for delegation purpose ) on Squid B and C 2) For legal logs purpose compliance. In this case, the username discovered in SQUIDA must be transmitted to SQUID B AND C and SQUID B-C must accept the information in order to use as login information to parse acls Is it possible ? You can send the username. But the security token is tied to the client<->SquidA TCP connection - it cannot be validated by other servers than SquidA. This should not matter though. Since Squid A is only permitting authenticated traffic you can *authorize* at Squid B and C based only on the source being one of your Squid with valid username. If not: wee have seen that the Proxy protocol accept to transmit the source IP/login information to peers that are compliance with proxy protocol. but the peers method in squid did not allow to use Proxy protocol. Is it possible to add the "Proxy Protocol" support in peers method ? It is possible to implement (for Squid-6 earliest) PROXYv2 for cache_peer. But the credentials security token remains tied to SquidA service. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid 4/5 feature request send login informations to peers
Hi, We a first Squid using Kerberos + Active Directory authentication. This first squid is used to limit access using ACls and Active Directory groups. This first squid using parents as peer in order to access to internet in this way: | > SQUID B --> Internet 1 squid A -> | -> SQUID C -> Internet 2 1) We want using ACLs too ( for delegation purpose ) on Squid B and C 2) For legal logs purpose compliance. In this case, the username discovered in SQUIDA must be transmitted to SQUID B AND C and SQUID B-C must accept the information in order to use as login information to parse acls Is it possible ? If not: wee have seen that the Proxy protocol accept to transmit the source IP/login information to peers that are compliance with proxy protocol. but the peers method in squid did not allow to use Proxy protocol. Is it possible to add the "Proxy Protocol" support in peers method ? ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
