Re: [squid-users] Proxy Authentification with multiple parallel squids from Henrik Nordstrom on 2002-07-17 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 17 Jul 2002 10:45:03 +0200

On Wednesday 17 July 2002 09.28, Matthias Weigel wrote:

> i am using mulitple parallel squid-caches (2.4Stable6) with proxy
> auth. The requests are distributed among the caches by the browser
> via proxy.pac mechanism (e.g. .com to first squid, .de to second,
> etc.). All squids share the same password database and have the
> same relam for proxy-auth configured.
>
> My problem is that every proxy shows the password dialog popup when
> first used. This is somewhat anoying to the users as they have to
> enter their passwords multiple times (older netscapes cannot even
> save the passwords...).

true, except for the small detail that it is your browser who shows
the login box as it does not know what login to use when talking to
the second/third/... proxy in your farm.. For all what the browser
knows the proxies are separate from each other and may have different
login requirements, and to avoid the login information for one
leaking to the other the HTTP specification recommends browsers to
NOT reuse the same login to another proxy.

> I tried to set visible_hostname to the same value on all squids but
> this didnt help.

no, it wont. The browser does the proxy login caching based on the
hostname (or IP address) it tries to contact based on the result of
your proxy.pac script or manual proxy configuration.

> How can i convince the browser to use the same password for all of
> my proxies with only asking the user once?

Not when using this type of load balancing.

For "single login" to work, the browsers must be unaware there is
multiple proxies. This works for

* DNS round-robin or other DNS based proxy load balancing methods

* TCP/IP load balancing using a loadbalancer such as
Linux-Virtual-Server <http://www.linuxvirtualserver.org/> or a
similar commercial solution..

* IP load balancing such as split routing based on client IP address
to a virtual proxy IP address shared by all your proxies, etc ..

You can solve the duplicate caching issue by setting up request
routing within your proxy farm. See the cache_peer and
cache_peer_access directives.

Regards
Henrik
Received on Wed Jul 17 2002 - 02:54:36 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:17 MST