Re: [squid-users] [squid 2.7 stable 3][ubuntu 9.04][shared usage with two proxies]

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 02 Jul 2009 13:48:22 +1200

On Wed, 01 Jul 2009 12:16:28 -0800, Chris Robertson <crobertson_at_gci.net>
wrote:
> Volker Jahns wrote:
>> Hi all.
>>
>> I don't know which headline is the best one, so sorry for probably a bad
>> one.
>>
>> What is the problem?
>>
>> I want work with two (or more) squid proxies called P1 and P2 (perhaps
>> two
>> or three P2 kind server). But first it should work with simply one P2
>> server.
>>
>> P1: The task for P1 is authorization in our HQ for all users. Even for
>> the
>> users in the branches.
>>
>> P2: The task for P2 is cashing only at the internet interface somewhere
>> in
>> the network after P1 accept the authorization in the HQ also for the
>> users
>> in the branches and moves the request direct to the requesting client.
>>
>> Every branch is at least one network plus the HQ network. For reducing
>> the
>> traffic in the whole network I want, that P2 sends the requested pages
>> from
>> the internet or its own cache to branch and not via P1 in the HQ. The
>> background: no senseless traffic at the HQ gateway.
>>
>> A short data flow the usual way:
>>
>> Branch client x --> authorization HQ (P1) --> forward request -->
>> internet
>> gateway (P2) --> get request internet or cache (P2) --> deliver page -->
>> P1
>> --> deliver page client x Branch
>>
>> A short data flow example how it should work:
>>
>> Branch client x --> authorization HQ (P1) --> forward request -->
>> internet
>> gateway (P2) --> get request internet or cache (P2) --> deliver page -->
>> client x Branch
>>
>> The difference seems to be small but it is important.
>>
>> First question for general: does it work?
>>
>
> So, for example, your P1 proxy has an IP address of 10.0.0.5 and your P2
> proxy has an IP address of 10.10.10.5. Your client (10.20.20.200) makes
> a request for a web object from 10.0.0.5 and (since it has already made
> a request and "knows" that authentication is required) sends it's
> authentication credentials. 10.0.0.5 sends the request to 10.10.10.5.
> There is no way for 10.10.10.5 to send a reply to 10.20.20.200, as there
> is no TCP connection to send the reply on.
>
>> Second question if it works: how do I configure this?
>>
>
> Your best bet would be to just send your clients to the P2 server, and
> let it pull the authentication from the source currently being used by
> the P1 server.
>
>> Until now I have P1 configured as sibling with a second cache (P2) as
>> parent, acting as origin server with no via and no http11.
>
> Wait, what? You have a forward proxy going to a reverse proxy, which is
> accelerating the entire internet, while stripping the Via header?

It happens. Some people mistake the meaning of 'originserver'. Others
discover that they get an auth popup when they do this. Without realizing
the consequences of where those internal credentials are being displayed.

What you want Volker, is to "cache_peer ... login=PASS" down the parent
link. Drop the 'originserver' option. And an Chris said, allow as many
squid as possible to do their own auth checks to the right source.

>
>> The authorization on P1 works and P2 try to get the requested page. But
>> in fact on the way
>> from P1 to P2 the URI header information (simply a "/" was left) is lost
>> and
>> in the end it does not working jet.
>>
>
> I imagine it's not...
>
>> Hope someone could help.
>> Volker
>>
>
> Chris

Amos
Received on Thu Jul 02 2009 - 01:48:27 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 02 2009 - 12:00:01 MDT