Ricardo Nuno wrote:
Hello Amos,
| I would have thought Squid->DG->Internet would be sufficient to meet those
| needs. With the front squid doing cache+auth of stuff that gets past the
| DG filtering. (and DG doing less work on cacheable things its already
| scanned once).
I tried that too. But it does not work.
|
| NP: Squid2 in your setup must NOT do any peering. Remember this is the
| EXIT. All access is direct to the Internet. It's one and only client is
| DG.
Yes. This solved the loop issue. Ans puting the cache_peer directive on
Squid1 with the "never_direct allow all".
| Don't include any unique stuff into both configs.
| If you need usernames logged at Squid2 at all use the fakeauth helper and
| LoggingOnly setup on that squid:
| http://wiki.squid-cache.org/ConfigExamples/Authenticate/LoggingOnly
Now here lies my new problem. I do need to login UserName+IP on the access.log
of the Squid2(Cache). Now that the loop is fixed it stop recording the UserName
only record IP, like this:
1233913862.159 6 192.168.20.140 TCP_MISS/304 250 GET
http://m80.clix.pt/styles/m80_txt.css - DIRECT/195.23.102.200 -
I tried to use fakeauth as you suggested but when I do auth stop working.
On IE it keeps asking for my credentials and just keep denying.
I follow the docs on Squid Wiki but i get this on the log:
2009/02/06 10:03:02| authenticateDecodeAuth: Unsupported or unconfigured
proxy-auth scheme, 'Basic c2JhdGFsaGE6bm9wYXNzd29yZA=='
This is what I added on Squid2(Cache):
auth_param ntlm program /usr/lib/squid/fakeauth_auth -d -v
auth_param ntlm children 10
auth_param ntlm realm Proxy Server
auth_param ntlm credentialsttl 1 hours
auth_param ntlm casesensitive off
acl logauth proxy_auth REQUIRED
http_access deny !logauth all
I think that i'm not using fakeauth the right way or something.
In alternative i could use the access.log from Squid1(NTML) for my reports
because here
i get UserName+IP but I think if I use this one i will get more false positives
like alot
of the DENIED, or i'm wrong and should just use it?
Ah, okay, here is what I think is happening:
Squid1 does the ntlm auth, and converts it to BasicAuth for DG.
So Squid2 gets the BasicAuth form. which means at Squid2 the other
dummy_auth is needed to catch and log basic login details.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
Current Beta Squid 3.1.0.5
