Currently we are working on Kerberos with Active Directory with Ha-proxy that sends requests to squid using proxy_protocol. Everything works great but we want to replace the ha-proxy with a squid. In fact, we want to the squid client send the credentials information to a squid parent in order to centralize ACLs on the parent proxy according to the user's login name. If you have any suggestion ?
Best regards -----Message d'origine----- De : squid-users <squid-users-boun...@lists.squid-cache.org> De la part de Amos Jeffries Envoyé : samedi 23 février 2019 04:07 À : squid-users@lists.squid-cache.org Objet : Re: [squid-users] Squid 4.x: cache_peer PROXY_PROTOCOL support with squid parents On 23/02/19 2:45 am, David Touzeau wrote: > Hi, > > > > We would like to use this infrastructure: > > > > Squid-cache client authentication 1-------- > > > | ----> Squid Parent with ACLs per user/LDAP groups/Web filtering > ---> INTERNET > > Squid-cache client authentication 2 -------- > > > > > > Currently this kind of infrastructure cannot be done because the Squid > that acts as a client did not send credentials information to the > parent proxy. > There are many types of "client authentication" that can exist in multiple nested protocol layers: * HTTP WWW-Auth* credentials * HTTP Proxy-Auth* credentials * TLS client X.509 certificate * CONNECT tunnel Proxy-Auth* * TCP connection-auth scheme credentials (NTLM, Negotiate) * IPSEC key exchange * EUI * IDENT user name Which one(s) are you talking about? > > We think it should be done if the cache_peer is compliance with > PROXY_PROTOCOL rfc as the http_port is already compliance. > What are you thinking PROXY would be doing to help with the situation? Keep in mind that the PROXY header needs to be sent before any other bytes on the server connection. Which immediately limits the cases where any type of client information is available. > > Do you have plans to add PROXY_PROTOCOL inside cache_peer feature ? > > To whom are you addressing this question? Cheers, Amos _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users