Hi,
I posted this question on the DG list but haven't had any responses yet, so
I am hoping someone out there can help me with this problem. I have upgraded
some of my Squids to 2.6 and have installed DG 2.9.7.1 to use its new NTLM
capability. I have in the past been successful using Squid to
authenticate users with NTLM then to DG, then Squid for cache. Since DG 2.9
provides better support for authentication I have eliminated the
authentication Squid server and send clients directly to DG with a parent
Squid that authenticates users. This has worked well in testing.
HOWEVER I have 3 remote sites that use the same DG filter as the above
mentioned Squid. The problem is that when I connect to one of the remote
Squids it goes through the DG server and tries to authenticate AGAIN to the
Squid server (parent to DG) which I don't want. I'm already authenticating
at the remote site as it provides a Squid cache for the site avoiding
bandwidth use on already locally cached pages.
Also, I don't want to allow direct access to the main parent Squid (the one
downstream of DG) so I limit access to localhost (DG) and the IP of the
remote Squid servers. When I do this I get an access denied message when
using a remote proxy since it's apparently going *through* DG to the parent
Squid and trying to authenticate there as well, but is denied by IP
restriction. I can get this to work by opening up access to the parent
Squid to ALL IPs in the remote Squid server's IP range. I don't want to do
this.
Also, in the DG access.log (when I have it opened up so it all "works" I am
not getting usernames logged (just -) but am getting the IP (or host name in
my case) of the requester, or the remote Squid server. The DG parent Squid
does show the actual computer (not Squid) that made the request, via
follow_x_forwarded_for. DG is also using this successfully ONLY when the
request comes directly to DG from a client, not from another Squid server.
Is there any way to make this all work nice as follows:
Single DG server for entire school district
Single authenticating/caching Squid 2.6 server (for the DG subnet clients)
as parent to DG
Remote Squid 2.6 caching/authenticating servers authenticating local users
with DG as parent (which then of course goes through DG's parent Squid)
I would like to have authentication and logging at each of the remote sites,
and ALSO DG logging with username for all requests to DG, and authentication
and logging for the DG subnet via the DG parent Squid server.
I have messed around with Squid acls trying to figure a way for this to
work, can't get it. Is there perhaps something I can add to the cache_peer
line to help with this?? Right now it's using " parent 8080 7 no-query
login=*:password default".
I have now been able to get this to "work" by not allowing
follow_x_forwarded_for (on DG parent Squid) for anything outside the DG
subnet, but then I get the DG IP (localhost) logged in the Squid access.log
and still no user for DG log.
Is there a way to make the DG parent Squid not attempt to authenticate any
requests outside of its local subnet or some other way to handle this? Or
will I end up needing to go back to the Squid->DG->Squid setup that I have
used successfully with DG 2.8 and Squid 2.5?
I hope this is reasonably clear. I can provide more info if it would help.
Using Squid 2.6STABLE1 and DG 2.9.7.1.
Thanks
Geoff
Received on Tue Jul 11 2006 - 12:56:01 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Aug 01 2006 - 12:00:01 MDT