[squid-users] Authentication Chaining with WebMarshalSoftware..

From: Robert Dal Santo <robert_ds@dont-contact.us>
Date: Thu, 16 Dec 2004 05:05:22 +1000

Hi, We are about to install content filtering, Virus scanning etc using
the WebMarshal product. I've just been told that our current environment
will not work for the purposes of authentication chaining and the some
of our squid caches will need to be removed.

The background:

We have 15 or so regional child caches which are on WAN links. To access
Internet content users must authenticate via the standard browser pop
up. The regional caches pass any requests to access the Internet to the
parent squid cache which takes care of authentication BEFORE the
regional cache will deliver any content to the user. This happens even
if the content is cached on the regional server. So no one can get
Internet content unless they authenticate first.

It's proposed to use WebMarshal to provide the authentication now using
more complex rules and to also perform the logging and reporting on
Internet access.

**The Sticking Point**
I have been told that the users authentication credentials CANNOT be
passed from squid to WebMarshal to allow WebMarshal to authenticate the
user. This is being presented as a risk that will result in regional
caches delivering cached content without first checking for
authentication with the upstream parent. The offered solution is to
remove the regional squid caches and have browsers talk directly over
WAN links to the WebMarshal server and then have a squid proxy BEHIND
the Web Marshal server to provide caching.

Can anyone offer comment on all these assertions? If I can avoid testing
this and potentially re-inventing the wheel by locally altering squid to
pass authentication credentials in a way that WebMarshal likes it would
save me a lot of time and pain.

Thanks,

Robert Dal Santo
Received on Wed Dec 15 2004 - 12:05:31 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:02 MST