Re: [squid-users] Forwarding loop detected issue from Ricardo Nuno on 2009-02-06 (squid-users)

From: Ricardo Nuno <ricardo.nuno_at_moonlight.pt>
Date: Fri, 6 Feb 2009 10:13:55 +0000 (WET)

Hello Amos,

| I would have thought Squid->DG->Internet would be sufficient to meet those
| needs. With the front squid doing cache+auth of stuff that gets past the
| DG filtering. (and DG doing less work on cacheable things its already
| scanned once).

I tried that too. But it does not work.

|
| NP: Squid2 in your setup must NOT do any peering. Remember this is the
| EXIT. All access is direct to the Internet. It's one and only client is
| DG.

Yes. This solved the loop issue. Ans puting the cache_peer directive on
Squid1 with the "never_direct allow all".

| Don't include any unique stuff into both configs.
| If you need usernames logged at Squid2 at all use the fakeauth helper and
| LoggingOnly setup on that squid:
| http://wiki.squid-cache.org/ConfigExamples/Authenticate/LoggingOnly

Now here lies my new problem. I do need to login UserName+IP on the access.log
of the Squid2(Cache). Now that the loop is fixed it stop recording the UserName
only record IP, like this:

1233913862.159 6 192.168.20.140 TCP_MISS/304 250 GET http://m80.clix.pt/styles/m80_txt.css - DIRECT/195.23.102.200 -

I tried to use fakeauth as you suggested but when I do auth stop working.
On IE it keeps asking for my credentials and just keep denying.
I follow the docs on Squid Wiki but i get this on the log:

2009/02/06 10:03:02| authenticateDecodeAuth: Unsupported or unconfigured proxy-auth scheme, 'Basic c2JhdGFsaGE6bm9wYXNzd29yZA=='

This is what I added on Squid2(Cache):

auth_param ntlm program /usr/lib/squid/fakeauth_auth -d -v
auth_param ntlm children 10
auth_param ntlm realm Proxy Server
auth_param ntlm credentialsttl 1 hours
auth_param ntlm casesensitive off

acl logauth proxy_auth REQUIRED
http_access deny !logauth all

I think that i'm not using fakeauth the right way or something.
In alternative i could use the access.log from Squid1(NTML) for my reports because here
i get UserName+IP but I think if I use this one i will get more false positives like alot
of the DENIED, or i'm wrong and should just use it?

Thanks for all your help,
-- RIcardo
Received on Fri Feb 06 2009 - 10:14:14 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 06 2009 - 12:00:02 MST