Squid Cache: Version 2.5.STABLE9
My local squid uses a parent proxy passing the login credentials to it:
cache_peer frd-proxy parent 8080 3130 login=PASS no-query
For one special application (exchange data with "elster") this does not work
because of the logon procedure. I tried to solve it using ACLs and
cache_peer_domain.
cache_peer frd-proxy parent 8080 3130 login=PASS no-query
cache_peer frd-proxy-nologon parent 8080 3130 login=name:topsecret
no-query
The application should not logon to the local proxy and use the second
parent "frd-proxy-nologon"
cache_peer_domain frd-proxy-nologon BOE-ELSTER
cache_peer_domain frd-proxy !BOE-ELSTER
acl BOE-ELSTER dst 80.146.179.0/255.255.255.0
acl BOE-ELSTER dst 193.109.238.0/255.255.255.0
http_access allow BOE-ELSTER
Unfortunately this does not work. access.log shows that the application
contacts the wrong proxy "frd-proxy" instead of "frd-proxy-nologon":
1111588597.594 696 10.23.5.205 TCP_MISS/407 1299 POST
http://80.146.179.3/Elster2/EMS - FIRST_UP_PARENT/frd-proxy text/html
1111588598.154 543 10.23.5.205 TCP_MISS/407 1299 POST
http://193.109.238.58/Elster2/EMS - FIRST_UP_PARENT/frd-proxy text/html
1111588598.815 649 10.23.5.205 TCP_MISS/407 1299 POST
http://193.109.238.59/Elster2/EMS - FIRST_UP_PARENT/frd-proxy text/html
1111588599.132 304 10.23.5.205 TCP_MISS/407 1299 POST
http://80.146.179.2/Elster2/EMS - FIRST_UP_PARENT/frd-proxy text/html
Debugging shows that the ACL BOE-ELSTER is working well:
2005/03/23 09:36:36| aclCheck: checking 'http_access allow BOE-ELSTER'
2005/03/23 09:36:36| aclMatchAclList: checking BOE-ELSTER
2005/03/23 09:36:36| aclMatchAcl: checking 'acl BOE-ELSTER dst
80.146.179.0/255.255.255.0'
2005/03/23 09:36:36| The request POST http://80.146.179.3:80/Elster2/EMS is
ALLOWED, because it matched 'BOE-ELSTER'
2005/03/23 09:36:37| aclCheck: checking 'http_access allow BOE-ELSTER'
2005/03/23 09:36:37| aclMatchAclList: checking BOE-ELSTER
2005/03/23 09:36:37| aclMatchAcl: checking 'acl BOE-ELSTER dst
80.146.179.0/255.255.255.0'
2005/03/23 09:36:37| The request POST http://193.109.238.58:80/Elster2/EMS
is ALLOWED, because it matched 'BOE-ELSTER'
2005/03/23 09:36:38| aclCheck: checking 'http_access allow BOE-ELSTER'
2005/03/23 09:36:38| aclMatchAclList: checking BOE-ELSTER
2005/03/23 09:36:38| aclMatchAcl: checking 'acl BOE-ELSTER dst
80.146.179.0/255.255.255.0'
2005/03/23 09:36:38| The request POST http://193.109.238.59:80/Elster2/EMS
is ALLOWED, because it matched 'BOE-ELSTER'
2005/03/23 09:36:38| aclCheck: checking 'http_access allow BOE-ELSTER'
2005/03/23 09:36:38| aclMatchAclList: checking BOE-ELSTER
2005/03/23 09:36:38| aclMatchAcl: checking 'acl BOE-ELSTER dst
80.146.179.0/255.255.255.0'
2005/03/23 09:36:38| The request POST http://80.146.179.2:80/Elster2/EMS is
ALLOWED, because it matched 'BOE-ELSTER'
Why does it use the wrong proxy?
Werner Rost
GMT-FIR - Netzwerk
ZF Boge Elastmetall GmbH
Friesdorfer Str. 175, 53175 Bonn, Deutschland/Germany
Telefon/Phone +49 228 3825 - 420
Telefax/Fax +49 228 3825 - 398
werner.rost@zf.com
>-----Ursprüngliche Nachricht-----
>Von: Henrik Nordstrom [mailto:hno@squid-cache.org]
>Gesendet: Samstag, 5. März 2005 03:47
>An: Rost Werner ZFBE GMT-ISN
>Cc: squid-users@squid-cache.org
>Betreff: Re: [squid-users] Parent
>
>
>On Fri, 4 Mar 2005 Werner.Rost@zf.com wrote:
>
>> And now we have to avoid auth. on the parent for this URL. I need a
>> construct like
>> if NOLOGON then cache_peer parent-proxy parent 8080 3130
>> login=user:secret no-query
>>
>> which replaces "login=PASS" by a fixed username:password.
>>
>> How can we do this? Is it possible?
>
>Yes. You only need to use two different names for the same parent, and
>cache_peer_access to control what is sent "where".
>
>> Another posibility would be to define a second parent say
>> cache_peer parent-proxy-1 parent 8080 3130 login=user:secret
>> no-query
>>
>> and connect this URL to this second proxy, say:
>> if NOLOGON then use parent-proxy-1
>>
>> How can we do this? Is it possible?
>
>same thing.
>
>Squid does not care if the two peers is the same proxy or two
>different
>proxies. All it cares is that it thinks it is two different
>proxies (by
>having different names in the cache_peer directive).
>
>Regards
>Henrik
>
Received on Wed Mar 23 2005 - 02:16:27 MST
This archive was generated by hypermail pre-2.1.9 : Fri Apr 01 2005 - 12:00:02 MST