On Wed, 22 Dec 2004, John Morton wrote:
I'm looking at a way to hack around the problem of only being able to define one redirector per squid server by setting up a pair of servers
You can chain any number of redirectors. Search for Open2 in the archives.
If you need acl policies after redirection then it's another story.
The objective is to be able to run both squidguard and adzapper, each with opt-out groups for sets of proxy_auth users that are orthogonal.
With a small wrapper having knowledge of the opt-out groups this shouldn't be too hard.
on the child server, and have it propagate the user name information back to the parent using the login=*:password option, and have the parent server run adzapper for everyone not in the opt out group.
Alternatively you can use login=PASS and have configuration configured the same on both (assumes Basic authentication).
My guess is that the parent will need an external authenticator that will validate any user if the correct password is supplied, but will only allow access to the child proxy(s). Does that sound right?
Yes. When using the login=*:password approach then Squid will use "password" as the password for all users when forwarding the request.
You should take care to only allow requests from the child cache IP in such configurations.
Are there any standard authenticators that come with squid for this task?
The ncsa_auth helper is somewhat reasonable, using a local file (created by htpasswd). Or you can whip up your own just looking at the static password, i.e. something like the following:
#!/bin/sh
while read user password; do
if [ "$password" = "thesecretpassword" ]; then
echo "OK"
else
echo "ERR"
fi
doneRegards Henrik
