Re: [squid-users] Cache peer access - or - The redirection problem...

----- Original Message -----
From: "Henrik Nordstrom" <hno@hem.passagen.se>
To: "Simone Colombo" <scolombo@saitweb.it>
Cc: <squid-users@squid-cache.org>; <marco.lacava@saitweb.it>
Sent: Wednesday, April 04, 2001 4:51 AM
Subject: Re: [squid-users] Cache peer access - or - The redirection
problem...

> Not so sure cache_peer_access is very happy about using proxy_auth ACL
> types. It might be if you first use some proxy_auth ACL in
http_access,
> but I am not sure.

From memory it will use them, but won't force authentication.

> If it does not currently work then it can most likely be made to work
> with some small amount of coding.

It might be part of the broken area with respect to upstream auth we
were discussing in January, but I don't think so.

>
> --
> Henrik Nordstrom
> Squid hacker available per hour
>
>
> Simone Colombo wrote:
> >
> > Hi all!
> >
> > We are trying to set up a Squid hierarchy to work as follow:
> >
> > A central proxy server must authenticate the user (via ncsa_auth
module) and
> > then redirect them ( via ICP now, but no problems using something
other) on a
> > different parent choosen from an array. We MUST have users (or users
group) pass
> > on different parent proxyes (users have different bandwith
privileges) and the
> > selection must be done on the username, not on the client's ip, 'cuz
we have a
> > lot of roaming users that use dhcp.
> >
> > So... we try the following acls:
> >
> > <snip>
> > acl USER1 proxy_auth user1
> > acl USER2 proxy_auth user2
> >
> > cache_peer x.x.x.x parent 3128 3130
> > cache_peer y.y.y.y parent 3128 3130
> >
> > cache_peer_acces x.x.x.x allow user1
> > cache_peer_acces x.x.x.x deny all
> >
> > cache_peer_access y.y.y.y allow user2
> > cache_peer_access y.y.y.y deny all
> > <snip>
> > EOF
> >
> > Squid does complain 'bout nothing in the logfiles, but it seems it
> > ignores the "permissions" we've setted up... actually it uses its
peers whit the
> > standard policy (the fastest answering).

Do the users get prompted for a password?

> >
> > Does anyone know why or as suggestion on how to realize the same
> > thing in a different way?

Yes. Do this:
+acl knownusers proxy_auth REQUIRED
acl USER1 proxy_auth user1
acl USER2 proxy_auth user2

cache_peer x.x.x.x parent 3128 3130
cache_peer y.y.y.y parent 3128 3130

cache_peer_acces x.x.x.x allow user1
cache_peer_acces x.x.x.x deny all

cache_peer_access y.y.y.y allow user2
cache_peer_access y.y.y.y deny all

+http_access deny !knownusers
EOF

the two new lines will force user authentication. Once that's know the
cache_peer_access rules should be able to examine the username.

If that doesn't work let me know (via this list). It should be easy to
fix.

Rob
Received on Tue Apr 03 2001 - 16:42:26 MDT