2011/10/19 Luis Daniel Lucio Quiroz <luis.daniel.lu...@gmail.com>: > 2011/10/18 E.S. Rosenberg <esr+sq...@g.jct.ac.il>: >> Hi all, >> We currently have a setup with proxies that use NTLM authentication >> (we hope to upgrade to kerberos in the future) and based on the >> username send the user to one of several parent proxies, to improve >> caching we would like to instead route all traffic through one proxy >> that is heavily optimized for caching (has it's own large storage >> etc.). >> >> I saw in the documentation that it is possible to pass the >> authentication to the parent, as far as I can tell I can 'tell' the >> parent in several ways how to route the client: >> - I can pass the username to the parent >> - I can 'NAT' the users connection as it leaves the child proxy (src >> ip rewrite rules) and have source IP based rules on the parent. >> - I could setup multiple instances of the same parent with different >> login details and 'route' based on username to each of said 'parents' >> >> It seems to me that the second option would result in better >> performance on the one hand but on the other hand it would add more >> obfuscation, however performance is more important to me. >> >> Am I correct in my analysis? Is passing the username to parent a lot >> slower, would it require another ntlm-auth binary running on the >> parent or can the username just pass cleartext between the proxies >> and therefor the whole 'authentication' is a lot faster.... >> >> Thanks for your brain-cycles, >> Eli >> > > Just wondering, why you need to pass username to 2nd layer proxy. I > mean, 1rst layer, the one who does authentication does also filtering > permitions. The first layer/tier does very basic filtering, the rest is either handled by a specialized ISP with different plans for different campuses or no filtering for staff members going through a separate ISP and WAN line.
So the parent either needs to know the username, or just what plan to use for the incoming session. Regards, Eli > > LD > http://www.twitter.com/ldlq >