Hello All, I have 2 squid servers that authenticate correctly when you point your browser to either of them. I'm using a negotiate_wrapper. I set it up following this ( http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory )
I would like to set both servers behind a haproxy load balancer, however when you try to utilize the haproxy load balancer, it will not authenticate anymore. It just gives an error asking to authenticate. Any ideas? Thanks in advance. ##HAPROXY.CFG## global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon defaults log global mode http option httplog option dontlognull contimeout 5000 clitimeout 50000 srvtimeout 50000 # reverse proxy-squid listen proxy 10.10.0.254:3128 mode http cookie SERVERID insert indirect nocache balance roundrobin option httpclose option forwardfor header X-Client server squid1 10.10.0.253:3128 check inter 2000 rise 2 fall 5 server squid2 10.10.0.252:3128 check inter 2000 rise 2 fall 5 ##SQUID.CONF## #Kerberos and NTLM authentication auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=****.LOCAL --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME auth_param negotiate children 30 auth_param negotiate keep_alive off # LDAP authentication auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b "DC=****,DC=local" -D "CN=SQUID,OU=Service Accounts,DC=****,DC=local" -w "****" -f sAMAccountName=%s -h 10.0.0.200,10.0.0.199,10.0.0.194,10.0.0.193 auth_param basic children 150 auth_param basic realm Please enter your Domain credentials to continue auth_param basic credentialsttl 1 hour # AD group membership commands external_acl_type ldap_group ttl=60 children-startup=10 children-max=50 children-idle=2 %LOGIN /usr/lib/squid3/ext_ldap_group_acl -R -K -S -b "DC=****,DC=local" -D "CN=SQUID,OU=Service Accounts,DC=****,DC=local" -w "****" -f "(&(objectclass=person) (sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL Groups,DC=****,DC=local))" -h dc1.****.local,dc2.****.local,dc3.****.local,dc4.****.local acl auth proxy_auth REQUIRED acl REQGROUPS external ldap_group PROXY-HIGHLY-RESTRICTIVE PROXY-MEDIUM-RESTRICTIVE PROXY-MINIMAL-RESTRICTIVE PROXY-UNRESTRICTED PROXY-DEV PROXY-SALES http_access deny !auth all http_access deny !REQGROUPS all -- Samuel Anderson | Information Technology Administrator | International Document Services IDS | 11629 South 700 East, Suite 200 | Draper, UT 84020-4607 -- CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system. Any unauthorized review, use, disclosure or distribution is prohibited.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users