Re: [squid-users] [squid 2.7 stable 3][ubuntu 9.04][shared usage with two proxies]

Volker Jahns wrote:
> Hi all.
>
> I don't know which headline is the best one, so sorry for probably a bad
> one.
>
> What is the problem?
>
> I want work with two (or more) squid proxies called P1 and P2 (perhaps two
> or three P2 kind server). But first it should work with simply one P2
> server.
>
> P1: The task for P1 is authorization in our HQ for all users. Even for the
> users in the branches.
>
> P2: The task for P2 is cashing only at the internet interface somewhere in
> the network after P1 accept the authorization in the HQ also for the users
> in the branches and moves the request direct to the requesting client.
>
> Every branch is at least one network plus the HQ network. For reducing the
> traffic in the whole network I want, that P2 sends the requested pages from
> the internet or its own cache to branch and not via P1 in the HQ. The
> background: no senseless traffic at the HQ gateway.
>
> A short data flow the usual way:
>
> Branch client x --> authorization HQ (P1) --> forward request --> internet
> gateway (P2) --> get request internet or cache (P2) --> deliver page --> P1
> --> deliver page client x Branch
>
> A short data flow example how it should work:
>
> Branch client x --> authorization HQ (P1) --> forward request --> internet
> gateway (P2) --> get request internet or cache (P2) --> deliver page -->
> client x Branch
>
> The difference seems to be small but it is important.
>
> First question for general: does it work?
>

So, for example, your P1 proxy has an IP address of 10.0.0.5 and your P2
proxy has an IP address of 10.10.10.5. Your client (10.20.20.200) makes
a request for a web object from 10.0.0.5 and (since it has already made
a request and "knows" that authentication is required) sends it's
authentication credentials. 10.0.0.5 sends the request to 10.10.10.5.
There is no way for 10.10.10.5 to send a reply to 10.20.20.200, as there
is no TCP connection to send the reply on.

> Second question if it works: how do I configure this?
>

Your best bet would be to just send your clients to the P2 server, and
let it pull the authentication from the source currently being used by
the P1 server.

> Until now I have P1 configured as sibling with a second cache (P2) as
> parent, acting as origin server with no via and no http11.

Wait, what? You have a forward proxy going to a reverse proxy, which is
accelerating the entire internet, while stripping the Via header?

> The authorization on P1 works and P2 try to get the requested page. But in fact on the way
> from P1 to P2 the URI header information (simply a "/" was left) is lost and
> in the end it does not working jet.
>

I imagine it's not...

> Hope someone could help.
> Volker
>

Chris
Received on Wed Jul 01 2009 - 20:16:39 MDT