On Tue, 17 Aug 2010 14:00:57 -0500, Dean Weimer dwei...@orscheln.com
wrote:
I know when using squid as an intercept proxy it can't do authentication
as the clients don't know it's there, but do any of you out there know
if
you can use it with a parent proxy that requires authentication?
The specific scenario I am considering is Squid in DMZ with WCCPv2 used
in
conjunction with a Cisco ASA 5520 firewall and an external (Websense
filtering) proxy that requires authentication, both NTLM and basic
authentication is supported.
Clients
|
Cisco ASA5520 -WCCPv2- Squid 3.1.6 (In DMZ) -- Secondary Internet
Connection -- Parent Proxy Service
|
Internet
We are currently using auto-detect, but continually keep running into
applications that don't recognize auto-detect, or sometimes don't even
have
the ability to read a configuration script. I am trying to come up with
a
way to alleviate the user's issues, without losing our local cache. And
keeping the HR and Legal departments happy by continuing to filter
websites
with content that some could find offensive, as well as blocking unsafe
(malware/spyware) websites.
1) IF the client thinks its talking to the parent proxy. cache_peer
login=PASS (or login=PASSTHRU) will pass on the credentials without
requiring auth within Squid.
2) IF Squid itself needs to login to the parent. cache_peer login= with
username:password will insert the given login to relayed requests.
NP: Older Squid only allow Basic auth protocol credentials to be added
this way. 3.2 brings the ability to do Negotiate/Kerberos as well. NTLM
remains a sticky problem.
This login= is only relevant once on a cache_peer entry. So its one or the
other can be used at once. #2 is probably better/simpler for you since the
clients are not involved in the auth process.
Hope this helps.
Amos
