[squid-users] Seperate parents for different ACL's

From: <andrew.lathrop@dont-contact.us>
Date: Fri, 16 Nov 2007 13:50:49 -0500

I am trying to get a squid proxy setup where the parent cache used will
differ by the NTLM group membership. I have they NTLM auth's working
fine, will deny access based on group membership. However, when I try to
set up the different caches, the ACL seems to not be respond. They are
actually the same parent cache, just with different upstream accounts. So

I have

proxy1 - General Use Proxy
proxy2 - Slightly less restrictive proxy
group1 - General use AD group
group2 - Less Restrictive AD group

using
cache_peer_access proxy2 allow group2
never kicks any requests to proxy2. If I comment out proxy1, I get a
"Failed to Select Source" error in the cache.log. I know that the AD
group checking is working because if I do
http_access deny !group2
any user is group1 will get a user needs to auth type message in their
browser, and disabling that line lets them get to the site.

Am I doing this incorrectly? I read somewhere that using the
cache_peer_access with an external_acl (the AD groups) is not ideal and
will occasionally return the incorrect parent, but I can't find any other
way to do this.

Any thoughts and suggestions would be greatly appreciated. Thanks,

Andrew
Received on Fri Nov 16 2007 - 11:50:55 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST