RE: [squid-users] NTLM authentication in Cache Hierachy

Yes, you are still inside the firewall with no direct connection to the
Internet.

The FAQ entry applies to all sibling or child caches.

Regards
Henrik

mån 2003-02-17 klockan 00.43 skrev Chris Vaughan:
> I should point out that this is the layout of the proxies and the firewall:
>
> sibling <=====> parent <=====> firewall <=====> internet
> cache cache
>
> Is section 4.8 of the F.A.Q. still relevant in this instance?
>
> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> Sent: Monday, 17 February 2003 9:48 AM
> To: Chris Vaughan
> Subject: Re: [squid-users] NTLM authentication in Cache Hierachy
>
>
> 4.8 How do I configure Squid to work behind a firewall?
>
>
> Chris Vaughan wrote:
> >
> > Our firewall is a separate device which the proxy server is allowed access
> > through. What part of the F.A.Q. so you refer to?
> >
> > -----Original Message-----
> > From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> > Sent: Friday, 14 February 2003 8:47 PM
> > To: Chris Vaughan
> > Subject: Re: [squid-users] NTLM authentication in Cache Hierachy
> >
> > In such case you need to see the Squid FAQ on how to use Squid within a
> > proxy based firewall.. (hierachy_stoplist is not the correct directive
> > to change).
> >
> > Regards
> > Henrik
> >
> > Chris Vaughan wrote:
> > >
> > > Thanks,
> > >
> > > I also found that in our situation it was not appropriate to include a
> > > hierachy_stoplist statement, as only our parent caches have access
> through
> > > our firewall.
> > >
> > > -----Original Message-----
> > > From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> > > Sent: Friday, 14 February 2003 12:20 PM
> > > To: Chris Vaughan
> > > Cc: 'squid-users@squid-cache.org'
> > > Subject: Re: [squid-users] NTLM authentication in Cache Hierachy
> > >
> > > The browser can only authenticate to the first proxy. This is a
> > > limitation of the HTTP protocol. It is then the responsibility of this
> > > proxy to authenticate to any upstream proxy if required.
> > >
> > > When using Basic HTTP authentication you can chain the authentication on
> > > multiple proxies IFF all of them shares the same password database. See
> > > the cache_peer login= option. This also works for Digest if the first
> > > proxy is not doing any authentication, but cannot be used for proxying
> > > the NTLM authentication scheme.
> > >
> > > If using NTLM of Digest scheme on the first proxy you cannot forward the
> > > authentication of the client to the upstream proxy. Your alternatives
> > > are then to either
> > >
> > > a) Reconfigure the upstream to allow requests from the sibling without
> > > requiring authentication
> > >
> > > b) Use the login= cach_peer option on the sibling to specify which
> > > user the sibling should authenticate as to the upstream proxy.
> > >
> > > Regards
> > > Henrik
> > >
> > > Chris Vaughan wrote:
> > > >
> > > > Greetings.
> > > >
> > > > I am trying to authenticate from a sibling cache using ntlm, sending
> > > > requests out through a parent.
> > > >
> > > > If the parent uses NCSA auth, the sibling serves back pages that
> cannot
> > be
> > > > navigated due to authentication failures.
> > > >
> > > > If the parent is also using ntlm, then a password/userid prompt, that
> > will
> > > > not accept any input, appears.
> > > >
> > > > Any Ideas?
> > > >
> > > > ***************************************************************
> > > > This message is intended for the addressee named and
> > > > may contain confidential information. If you are not the
> > > > intended recipient, please delete it and notify the sender.
> > > > Views expressed in this message are those of the
> > > > individual sender, and are not necessarily the views of the
> > > > Department of Information Technology & Management.
> > > >
> > > > This email message has been swept by MIMEsweeper
> > > > for the presence of computer viruses.
> > > > ***************************************************************

-- 
Henrik Nordstrom <hno@squid-cache.org>
MARA Systems AB, Sweden