[squid-users] transparent proxy with authentication
Dearest squid expert out there, I have had squid boxes running on wccp with cisco router for my customer. There are 2 new requirements lately: (1) authentication with wccp There comes a new requirement from my customer that every user should be authenticated before being allowed to browse the internet. The purpose is to provide logs showing which uid has browsed to which websites on shared computers (like those in computer labs or cybercafe). I understand from http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.16 that authentication does not work with wccp. And I read somewhere in squid 3 development site that there is an intention to enable such possibility, I like to know if this is true. Don't mind me being asking again - but why was authentication designed not to work with wccp? If transparent proxy design is required together with authentication, is there any alternative I could work on? (2) antivirus and content filtering In addition to authentication, the other requirement is to provide content filtering to wccp squid. The content filtering includes antivirus scanning for web content as well as other web content filtering. There is web content filtering from Trendmicro and other brands. I just wish to know how to get it to forward such content from squid to these software for scanning before squid passing the webpages back to users. Thanks heaps in advance for any advice. Kah Yi
[squid-users] Transparent Proxy with Authentication
Hai All, If there is any way to setup transparent proxy with authentication please give me those... here i can setup transparent proxy and authentication but it didn't work same time... (while i use transparent it didn't ask for authentication) i want to use both in same time.. so help me thank you in advance robinboby.
Re: [squid-users] transparent proxy with authentication
On Monday 24 October 2005 18:36, Chin Kah Yi wrote: > Dearest squid expert out there, > > Don't mind me being asking again - but why was authentication designed > not to work with wccp? If transparent proxy design is required together > with authentication, is there any alternative I could work on? With WCCP you are intercepting the HTTP request from the HTTP client. The HTTP client assumes that it is communicating with the HTTP server. If the HTTP intercept proxy were to request authentication, you would have one of the following problems. (1) The HTTP client would present the credentials that it saved from the last time that it accessed the HTTP server to the HTTP intercept proxy. These credentials would fail the authentication tests and access would be denied. (2) If the HTTP client did not have any credentials saved, the user would present the credentials requested by the HTTP intercept proxy. The HTTP client would save the authenticated credentials. If the HTTP server does not require authentication, there is no problem. (3) If the HTTP server requires authentication, the HTTP client would present the credentials required by the HTTP intercept proxy. The authentication would fail and the HTTP client would be prompted to provide new credentials. Obviously, this leads to a condition where the HTTP client needs to supply multiple credentials on every access. It is important to note that not all HTTP clients are browsers (Firefox, Internet Explorer, Netscape, Safari, etc.). Many are applications or services such as AIM, Jabber, Real Audio, etc. It might be possible to implement authentication in an HTTP intercept proxy were realms consistently used and understood by all HTTP clients and servers. However, the last time that I looked at this problem (ca. 1999), I discovered that while HTTP clients tended to deal with realms correctly there was a wide variance in the way realms were implemented in HTTP servers with Microsoft IIS being the biggest problem. Merton Campbell Crockett -- BEGIN: vcard VERSION:3.0 FN: Merton Campbell Crockett ORG:General Dynamics Advanced Information Systems; Intelligence and Exploitation Systems N: Crockett;Merton;Campbell EMAIL;TYPE=internet:[EMAIL PROTECTED] TEL;TYPE=work,voice,msg,pref: +1(805)497-5045 TEL;TYPE=work,fax: +1(805)497-5050 TEL;TYPE=cell,voice,msg:+1(805)377-6762 END:vcard
Re: [squid-users] transparent proxy with authentication
Thanks Merton for explaning. What if the design is changed from wccp to a redirection level7 switch such as foundry serveriron? L7 switch redirect http traffic to squids. Will this be able to design provide authentication from squid? If transparent squid cant provide authentication due to the complications, would you recommend we get all users to enter proxy IP at their own browser before they can browse, so that authentication can still be provided? If there is a proxy pool (a few proxies for redundancy), then I may use a L7 content switch to provide a virtual proxy IP for all user browser to point to, then the content switch will route the user to the least loaded squid. All squid will definitely be now be authenticating users against the Sun Ldap server. I understand that servers may be affected by this. However, I could set at firewall that only IP at Server Farm can have http direct to internet, bypassing proxies. To prevent users from going directly to Internet, firewall will block their IP from http access direct to internet. The objective of this is to enable logging of login with url accesses on shared computers. Such computers are like those in computer labs where anyone can use to access to internet. If you do have alternative control mechanism, please advise. Thanks again. Kah Yi Original Message From: Merton Campbell Crockett <[EMAIL PROTECTED]> To: squid-users@squid-cache.org Subject: Re:[squid-users] transparent proxy with authentication Date: 25/10/2005 10:47 On Monday 24 October 2005 18:36, Chin Kah Yi wrote: Dearest squid expert out there, Don't mind me being asking again - but why was authentication designed not to work with wccp? If transparent proxy design is required together with authentication, is there any alternative I could work on? With WCCP you are intercepting the HTTP request from the HTTP client. The HTTP client assumes that it is communicating with the HTTP server. If the HTTP intercept proxy were to request authentication, you would have one of the following problems. (1) The HTTP client would present the credentials that it saved from the last time that it accessed the HTTP server to the HTTP intercept proxy. These credentials would fail the authentication tests and access would be denied. (2) If the HTTP client did not have any credentials saved, the user would present the credentials requested by the HTTP intercept proxy. The HTTP client would save the authenticated credentials. If the HTTP server does not require authentication, there is no problem. (3) If the HTTP server requires authentication, the HTTP client would present the credentials required by the HTTP intercept proxy. The authentication would fail and the HTTP client would be prompted to provide new credentials. Obviously, this leads to a condition where the HTTP client needs to supply multiple credentials on every access. It is important to note that not all HTTP clients are browsers (Firefox, Internet Explorer, Netscape, Safari, etc.). Many are applications or services such as AIM, Jabber, Real Audio, etc. It might be possible to implement authentication in an HTTP intercept proxy were realms consistently used and understood by all HTTP clients and servers. However, the last time that I looked at this problem (ca. 1999), I discovered that while HTTP clients tended to deal with realms correctly there was a wide variance in the way realms were implemented in HTTP servers with Microsoft IIS being the biggest problem. Merton Campbell Crockett
Re: [squid-users] transparent proxy with authentication
On Monday 24 October 2005 20:44, Chin Kah Yi wrote: > Thanks Merton for explaning. > > What if the design is changed from wccp to a redirection level7 switch > such as foundry serveriron? L7 switch redirect http traffic to squids. > Will this be able to design provide authentication from squid? > > If transparent squid cant provide authentication due to the > complications, would you recommend we get all users to enter proxy IP at > their own browser before they can browse, so that authentication can > still be provided? If there is a proxy pool (a few proxies for > redundancy), then I may use a L7 content switch to provide a virtual > proxy IP for all user browser to point to, then the content switch will > route the user to the least loaded squid. All squid will definitely be > now be authenticating users against the Sun Ldap server. My personal preference is to use a defined HTTP proxy server. Although there was some initial concern about taking this approach, my customers have become convinced that this is the best approach. Well, most of them have. :-) One key feature of an HTTP proxy server over an HTTP intercept proxy is that all HTTP traffic is passed to the HTTP proxy server regardless of port used. The HTTP intercept proxy only addresses activity on port 80 or any additional ports that you specify. Several of my customers were concerned about employees accessing pornography. It was clear from analysing network traffic that the HTTP intercept proxies that they had been using were missing some of this activity because port 80 was not being used. There are several ways of configuring your network to use an HTTP proxy server. (1) Manual configuration of the HTTP proxy server. (2) Manual configuration of an automatic configuration file. (3) Configuring your network for Web Proxy Automatic Detection. (4) Configuring your DHCP server to support automatic configuration. I use all of the above. A problem with (1) is that it is not robust. If the HTTP proxy server fails, web content is inaccessible. This can be solved by using a L7 switch as you suggest. A secondary problem with (1) is that it doesn't allow you to use different HTTP proxy servers that could be used to implement strategic solutions, i.e. balancing the traffic between multiple service providers. I like options (2), (3), and (4). I can create an automatic configuration file, proxy.pac, that identifies how to access web content based on where the HTTP server is located. Is the HTTP server connected to our local network? Go direct. Is it connected to our corporate WAN? Go to the intranet HTTP proxy server. Is it an external HTTP server? Go to the Internet HTTP proxy server. Web Proxy Automatic Detection was a great idea introduced by Microsoft. All you needed to do was to define a CNAME wpad.local.domain.com that pointed to a web server containing a file wpad.dat. The latter was nothing more than a symlink to proxy.pac. Linux and Mac OS X support automatic detection and I think most of the BSD systems, as well. Unfortunately, Microsoft broke this in one of the service packs to Windows 2000. Fixed by providing two additional symlinks: proxy.pa and wpad.da that point to proxy.pac. With WindowsXP, Microsoft screwed it up further, you need to use (4) and define DHCP Option 252 to pass a URL to the DHCP client that defines the location of the proxy.pac file. If you have management support to block port 80 to all but the HTTP proxy servers, use all of the above techniques to capture all your HTTP traffic. Merton Campbell Crockett Ps: As you can note, I have a definite bias. For political reasons, I was recently moved from Engineering to IT. IT doesn't quite share my views. A few of them are, finally, understanding that you don't need to touch each and every system. > > I understand that servers may be affected by this. However, I could set > at firewall that only IP at Server Farm can have http direct to > internet, bypassing proxies. > > To prevent users from going directly to Internet, firewall will block > their IP from http access direct to internet. > > The objective of this is to enable logging of login with url accesses on > shared computers. Such computers are like those in computer labs where > anyone can use to access to internet. If you do have alternative control > mechanism, please advise. > > Thanks again. > > Kah Yi > > Original Message ---- > From: Merton Campbell Crockett <[EMAIL PROTECTED]> > To: squid-users@squid-cache.org > Subject: Re:[squid-users] transparent proxy with authentication > Date: 25/10/2005 10:47 > > > On Monday 24 October 2005 18:36, Chin Kah Yi wrote: > >>Dearest squid expert out there, > >> > >>Don't mind me being asking again - but why
Re: [squid-users] transparent proxy with authentication
On Tue, 25 Oct 2005, Chin Kah Yi wrote: http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.16 that authentication does not work with wccp. And I read somewhere in squid 3 development site that there is an intention to enable such possibility, I like to know if this is true. You have misunderstood the Squid-3 notes. What is enabled in Squid-3 is authentication in reverse proxies. This was not easily done in Squid-2.5 due to conflicts with the transparent proxy support (i.e. WCCP). Don't mind me being asking again - but why was authentication designed not to work with wccp? If transparent proxy design is required together with authentication, is there any alternative I could work on? It is not a matter of authentication to not be designed for working with WCCP. The issue is WCCP not being designed to work with the TCP/IP specifications. When you bend the rules such as is done when using WCCP or other transparent interception of traffic certain things will and can not work. Proxy authentication is one such thing. (2) antivirus and content filtering In addition to authentication, the other requirement is to provide content filtering to wccp squid. The content filtering includes antivirus scanning for web content as well as other web content filtering. There is web content filtering from Trendmicro and other brands. I just wish to know how to get it to forward such content from squid to these software for scanning before squid passing the webpages back to users. Just set up a parent peering relation. Regards Henrik
Re: [squid-users] transparent proxy with authentication
On Mon, 24 Oct 2005, Merton Campbell Crockett wrote: Obviously, this leads to a condition where the HTTP client needs to supply multiple credentials on every access. It is important to note that not all HTTP clients are browsers (Firefox, Internet Explorer, Netscape, Safari, etc.). Many are applications or services such as AIM, Jabber, Real Audio, etc. It is also worth noticing that the HTTP specifications only allows for a single active authentication realm per URI, and that only a single authenitcation scheme can be used at a time.. If there is multiple challenges of the same scheme but with different reamls then the client is free to pick one (and can not pick more than one). Regards Henrik
Re: [squid-users] transparent proxy with authentication
On Tue, 25 Oct 2005, Chin Kah Yi wrote: What if the design is changed from wccp to a redirection level7 switch such as foundry serveriron? L7 switch redirect http traffic to squids. Will this be able to design provide authentication from squid? If you use a L7 load balancer with the clients configured for using the load balanced address as proxy then proxy authentication will work fine. To prevent users from going directly to Internet, firewall will block their IP from http access direct to internet. And if you instead of blocking NAT them to a web server exaplaining how to set the proxy settings less support calls will be seen... Regards Henrik
Re: [squid-users] transparent proxy with authentication
If wccp with authentication does not work because of wccp design, Bluecoat claimed their proxy supports wccp with authentication. I wonder how theirs work? Kah Yi Original Message From: Henrik Nordstrom <[EMAIL PROTECTED]> To: Chin Kah Yi <[EMAIL PROTECTED]> CC: squid-users@squid-cache.org Subject: Re:[squid-users] transparent proxy with authentication Date: 27/10/2005 09:30 On Tue, 25 Oct 2005, Chin Kah Yi wrote: http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.16 that authentication does not work with wccp. And I read somewhere in squid 3 development site that there is an intention to enable such possibility, I like to know if this is true. You have misunderstood the Squid-3 notes. What is enabled in Squid-3 is authentication in reverse proxies. This was not easily done in Squid-2.5 due to conflicts with the transparent proxy support (i.e. WCCP). Don't mind me being asking again - but why was authentication designed not to work with wccp? If transparent proxy design is required together with authentication, is there any alternative I could work on? It is not a matter of authentication to not be designed for working with WCCP. The issue is WCCP not being designed to work with the TCP/IP specifications. When you bend the rules such as is done when using WCCP or other transparent interception of traffic certain things will and can not work. Proxy authentication is one such thing. (2) antivirus and content filtering In addition to authentication, the other requirement is to provide content filtering to wccp squid. The content filtering includes antivirus scanning for web content as well as other web content filtering. There is web content filtering from Trendmicro and other brands. I just wish to know how to get it to forward such content from squid to these software for scanning before squid passing the webpages back to users. Just set up a parent peering relation. Regards Henrik
Re: [squid-users] transparent proxy with authentication
On Thu, 27 Oct 2005, Chin Kah Yi wrote: If wccp with authentication does not work because of wccp design, Bluecoat claimed their proxy supports wccp with authentication. I wonder how theirs work? It doesn't actually. They do what you can do, implement a IP based access control sheme using forms based login to the proxy registering your username as the user on the client IP address. Regards Henrik
Re: [squid-users] transparent proxy with authentication
I see. but if it is transparent proxy via wccp, how would the IP based access control scheme work on bluecoat as bluecoat wouldn't be inline to do access control and depending on cisco router? Original Message From: Henrik Nordstrom <[EMAIL PROTECTED]> To: Chin Kah Yi <[EMAIL PROTECTED]> CC: Henrik Nordstrom <[EMAIL PROTECTED]>, squid-users@squid-cache.org Subject: Re:[squid-users] transparent proxy with authentication Date: 28/10/2005 00:57 On Thu, 27 Oct 2005, Chin Kah Yi wrote: If wccp with authentication does not work because of wccp design, Bluecoat claimed their proxy supports wccp with authentication. I wonder how theirs work? It doesn't actually. They do what you can do, implement a IP based access control sheme using forms based login to the proxy registering your username as the user on the client IP address. Regards Henrik
Re: [squid-users] transparent proxy with authentication
BlueCoat confirmed they can do transparent proxy with authentication (http://www.bluecoat.com/downloads/support/BCS_tb_transauth.pdf). I have downloaded the doc, if you want it, I can email u the doc. If so, does squid work on that aspect as described by bluecoat in above doc? Original Message From: Chin Kah Yi <[EMAIL PROTECTED]> To: Henrik Nordstrom <[EMAIL PROTECTED]>, squid-users@squid-cache.org Subject: Re:[squid-users] transparent proxy with authentication Date: 28/10/2005 08:39 I see. but if it is transparent proxy via wccp, how would the IP based access control scheme work on bluecoat as bluecoat wouldn't be inline to do access control and depending on cisco router? Original Message From: Henrik Nordstrom <[EMAIL PROTECTED]> To: Chin Kah Yi <[EMAIL PROTECTED]> CC: Henrik Nordstrom <[EMAIL PROTECTED]>, squid-users@squid-cache.org Subject: Re:[squid-users] transparent proxy with authentication Date: 28/10/2005 00:57 On Thu, 27 Oct 2005, Chin Kah Yi wrote: If wccp with authentication does not work because of wccp design, Bluecoat claimed their proxy supports wccp with authentication. I wonder how theirs work? It doesn't actually. They do what you can do, implement a IP based access control sheme using forms based login to the proxy registering your username as the user on the client IP address. Regards Henrik
Re: [squid-users] transparent proxy with authentication
On Fri, 28 Oct 2005, Chin Kah Yi wrote: I see. but if it is transparent proxy via wccp, how would the IP based access control scheme work on bluecoat as bluecoat wouldn't be inline to do access control and depending on cisco router? It is inline for HTTP traffic. The proxy can do whatever it likes with the HTTP traffic. What these schemes usually does is to redirect requests coming from an address not known to the proxy to a local login page, where a successful login registers the account for that IP and the user is then redirected back to the page he originally requested. There is also another possible scheme using a combination of this and cookies. This provides per-user authentication but basically floods the browser with new cookies. Regards Henrik
Re: [squid-users] transparent proxy with authentication
I see. Do you think the design where cookies were used to keep track of per-user authentication details at client browser is a feasible and good design? Original Message From: Henrik Nordstrom <[EMAIL PROTECTED]> To: Chin Kah Yi <[EMAIL PROTECTED]> CC: Henrik Nordstrom <[EMAIL PROTECTED]>, squid-users@squid-cache.org Subject: Re:[squid-users] transparent proxy with authentication Date: 28/10/2005 19:14 On Fri, 28 Oct 2005, Chin Kah Yi wrote: I see. but if it is transparent proxy via wccp, how would the IP based access control scheme work on bluecoat as bluecoat wouldn't be inline to do access control and depending on cisco router? It is inline for HTTP traffic. The proxy can do whatever it likes with the HTTP traffic. What these schemes usually does is to redirect requests coming from an address not known to the proxy to a local login page, where a successful login registers the account for that IP and the user is then redirected back to the page he originally requested. There is also another possible scheme using a combination of this and cookies. This provides per-user authentication but basically floods the browser with new cookies. Regards Henrik
Re: [squid-users] transparent proxy with authentication
I just wanted to know how cookies are used for storing the username and passwd. Bcos, i heard that cookies are domain dependent. So how cum it works or am i wrong -SenthilMurugan - Original Message - From: "Chin Kah Yi" <[EMAIL PROTECTED]> To: "Henrik Nordstrom" <[EMAIL PROTECTED]>; Sent: Friday, October 28, 2005 7:12 PM Subject: Re: [squid-users] transparent proxy with authentication I see. Do you think the design where cookies were used to keep track of per-user authentication details at client browser is a feasible and good design? Original Message From: Henrik Nordstrom <[EMAIL PROTECTED]> To: Chin Kah Yi <[EMAIL PROTECTED]> CC: Henrik Nordstrom <[EMAIL PROTECTED]>, squid-users@squid-cache.org Subject: Re:[squid-users] transparent proxy with authentication Date: 28/10/2005 19:14 On Fri, 28 Oct 2005, Chin Kah Yi wrote: I see. but if it is transparent proxy via wccp, how would the IP based access control scheme work on bluecoat as bluecoat wouldn't be inline to do access control and depending on cisco router? It is inline for HTTP traffic. The proxy can do whatever it likes with the HTTP traffic. What these schemes usually does is to redirect requests coming from an address not known to the proxy to a local login page, where a successful login registers the account for that IP and the user is then redirected back to the page he originally requested. There is also another possible scheme using a combination of this and cookies. This provides per-user authentication but basically floods the browser with new cookies. Regards Henrik
Re: [squid-users] transparent proxy with authentication
On Fri, 28 Oct 2005, Chin Kah Yi wrote: I see. Do you think the design where cookies were used to keep track of per-user authentication details at client browser is a feasible and good design? It is a hack. And fails badly for all other applications than browsing as it is not a standard authentication method so none of the methods of specifying the proxy account in other applications works. Regards Henrik
Re: [squid-users] transparent proxy with authentication
On Fri, 28 Oct 2005, Senthil Murugan wrote: I just wanted to know how cookies are used for storing the username and passwd. Bcos, i heard that cookies are domain dependent. So how cum it works or am i wrong The cookies are indeed domain dependent, but since the proxy has full control of the traffic passing thru it, it can play games on the browser and issue cookies for all visited domains. Regards Henrik
Re: [squid-users] transparent proxy with authentication
Hello Henrik, I understood your explanation like this. client <-> proxy <> Internet The Scenario is Transparent proxy Authentication using Cookies, and all the traffics are passed through the proxy. When the user access a web page for the first time, he is redirected to a login page say http://mydomain.com/login.php and the cookie is used to store the credentials after the successful authentication and after that the user is redirected to the original website that he/she was trying to access. But this time the browser will not send the cookie credentials bcos, the is a different domain. You explained as, "since the proxy has the full control of the traffic passing thru it, it can play games on the browser and issue cookie for all the visited domains". But with this, only the proxy can add the credentials but what actually needed is, only the proxy needs the credentials from the browser. How come the works or i am not understood clearly? Thanks, Senthil Murugan On Fri, 28 Oct 2005, Senthil Murugan wrote: I just wanted to know how cookies are used for storing the username and passwd. Bcos, i heard that cookies are domain dependent. So how cum it works or am i wrong The cookies are indeed domain dependent, but since the proxy has full control of the traffic passing thru it, it can play games on the browser and issue cookies for all visited domains.
Re: [squid-users] transparent proxy with authentication
On Tue, 1 Nov 2005, Senthil Murugan wrote: the original website that he/she was trying to access. But this time the browser will not send the cookie credentials bcos, the is a different domain. You explained as, "since the proxy has the full control of the traffic passing thru it, it can play games on the browser and issue cookie for all the visited domains". But with this, only the proxy can add the credentials but what actually needed is, only the proxy needs the credentials from the browser. How come the works or i am not understood clearly? There is always the domain of the proxy, to which the browser sends it's cookies. To transport the session cookie to another domain a double redirect is used via the proxy domain, temporarily carrying the session details in an "magic" URL to the visited domain which then issues the cookie and redirects back to the originally requested page on the same domain. I have done this kind of solutions for reverse proxies using Squid, and it is not hard (you only need a HTTP server maintaining the session, and a little thinking on how to use external acls). Only difficulty wrt doing it in a forward proxy is that you need to modify the proxy to not forward the session cookie to the requested site and for this some new Squid modifications will be needed (i.e. the filtering of the cookie is not possible with what is available for Squid today) Regards Henrik
Re: [squid-users] transparent proxy with authentication
Thanks for the comment. I was away for a while. You have mentioned that such authentication method is somewhat proprietary since it is not following standard. If I only need to cache http (port 80) and none other ports, this authentication method should still be sufficiently good. right? Kah Yi Original Message From: Henrik Nordstrom <[EMAIL PROTECTED]> To: Chin Kah Yi <[EMAIL PROTECTED]> CC: Squid Users Subject: Re:[squid-users] transparent proxy with authentication Date: 29/10/2005 02:22 On Fri, 28 Oct 2005, Chin Kah Yi wrote: I see. Do you think the design where cookies were used to keep track of per-user authentication details at client browser is a feasible and good design? It is a hack. And fails badly for all other applications than browsing as it is not a standard authentication method so none of the methods of specifying the proxy account in other applications works. Regards Henrik
Re: [squid-users] transparent proxy with authentication
Are there anyone out there who has configured squid to perform this kind of cacheing before? i.e. squid on wccp with cisco router while providing http authentication to end-users. If there is none and I wish doing so, would it really be possible? kahyi Original Message From: Chin Kah Yi <[EMAIL PROTECTED]> To: Henrik Nordstrom <[EMAIL PROTECTED]>, Squid Users Subject: Re:[squid-users] transparent proxy with authentication Date: 8/11/2005 21:53 Thanks for the comment. I was away for a while. You have mentioned that such authentication method is somewhat proprietary since it is not following standard. If I only need to cache http (port 80) and none other ports, this authentication method should still be sufficiently good. right? Kah Yi Original Message From: Henrik Nordstrom <[EMAIL PROTECTED]> To: Chin Kah Yi <[EMAIL PROTECTED]> CC: Squid Users Subject: Re:[squid-users] transparent proxy with authentication Date: 29/10/2005 02:22 On Fri, 28 Oct 2005, Chin Kah Yi wrote: I see. Do you think the design where cookies were used to keep track of per-user authentication details at client browser is a feasible and good design? It is a hack. And fails badly for all other applications than browsing as it is not a standard authentication method so none of the methods of specifying the proxy account in other applications works. Regards Henrik
Re: [squid-users] transparent proxy with authentication
On Wed, 9 Nov 2005, Chin Kah Yi wrote: Are there anyone out there who has configured squid to perform this kind of cacheing before? i.e. squid on wccp with cisco router while providing http authentication to end-users. No. If there is none and I wish doing so, would it really be possible? It is possible, but some programming is required a) To extend Squid to be able to filter out the needed cookie (within Squid) b) To design the authentication system maintaining the login and issuing cookies. (outside Squid) Regards Henrik
Re: [squid-users] Transparent Proxy with Authentication
On 03.12 14:25, Focuz Infotech wrote: > Hai All, > > If there is any way to setup transparent proxy with authentication > please give me those... > > here i can setup transparent proxy and authentication but it didn't work > same time... (while i use transparent it didn't ask for authentication) > > i want to use both in same time.. check the FAQ: http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.16 17.16 Can I use proxy_auth with interception? No, you cannot. With interception proxying, the client thinks it is talking to an origin server and would never send the Proxy-authorization request header. Imho, transparent proxying is a bad thing, that should be only used as last resort. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer.
RE: [squid-users] Transparent Proxy with Authentication
> > Hai All, > > If there is any way to setup transparent proxy with authentication > please give me those... > > here i can setup transparent proxy and authentication but it > didn't work > same time... (while i use transparent it didn't ask for > authentication) > > i want to use both in same time.. http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.16 M.
