[squid-users] Problems with proxy_auth + always_direct from Robert Sinton on 2002-12-01 (squid-users)

From: Robert Sinton <robert@dont-contact.us>
Date: 02 Dec 2002 14:24:47 +1300

Could some kind person please help us out with our logic?

We are trying to build a solution which looks at the authenticated username to decide whether to allow requests to go direct to origin servers, or to force them through an upstream filtering proxy. An external authorisation process is used to make the decision.

We have run into some problems, and have progressively simplified the setup to try to isolate where we're going wrong; this includes leaving out the external username analysis for now. As the default behaviour with a parent peer defined is to go through that peer, we are first concentrating on allowing specified users to go direct; we'll worry about forcing other users through the parent in all cases later.

We now have it down to this:

===============

# The upstream filter
cache_peer 192.168.0.101 parent 8000 7 proxy-only no-query no-digest

acl all src 0.0.0.0/0.0.0.0

# Force authentication
acl authenticated proxy_auth REQUIRED

# Allow only authenticated users to go through squid
http_access allow authenticated
http_access deny all

# Allow authenticated users to go direct to origin servers
always_direct allow authenticated

===============

Squid Cache: Version 2.5.STABLE1
All other acls and relevant directives have been commented out.

With this config, we expected all authenticated users to go direct to origin servers, but in practice we found that they were still sent through the upstream filtering proxy. However if we changed the basis of the always_direct decision to something other than username authentication, the system worked as we expected, i.e. the requests went direct. Here is an example which worked:

===============
acl itsme src 192.168.0.31
always_direct allow itsme
===============

Can anyone spot the flaw here? It has us stumped.

We're not squid gurus, so don't want to cry 'bug', but is there any chance that this is related to the situation in Bugzilla Bug # 393?

http://www.squid-cache.org/bugs/show_bug.cgi?id=393

Thanks,
Robert

-- 
Robert Sinton                  Phone +64 (3) 366-5454
Senior Systems Consultant      Fax +64 (3) 366-4456
MagnumMac Resources Ltd        21-23 Carlyle Street, PO Box 1144, Christchurch

Received on Sun Dec 01 2002 - 18:25:03 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:48 MST