[squid-users] Transparent proxy to upstream authenticating proxy from Vosloo, Jaco on 2009-07-24 (squid-users)

From: Vosloo, Jaco <JVosloo_at_wesbank.co.za>
Date: Fri, 24 Jul 2009 17:29:09 +0200

I need to configure a transparent proxy to an upstream authenticating
proxy and I believe that Squid should be able to do this. I've been
searching the net for months now and would really appreciate any advice
or pointers.

1. I can not use the standard upstream cache peer methods because the
upstream "Blue coat" proxy uses NTLM authentication and can not work
with an intermediate proxy. I have no control over the upstream proxy.
2. The FAQ says authentication can not be run on a transparent proxy,
this is acceptable because I do not want to authenticate on the
transparent proxy, I want the transparent proxy to let the user
authenticate to the upstream proxy.
3. I have considered using reverse proxy mode, if you think it is worth
a try, please say so.

From the FAQ at SquidFaq/InterceptionProxy:
Q: Why can't I use authentication together with interception proxying?
A: Interception Proxying works by having an active agent (the proxy)
where there should be none. The browser is not expecting it to be there,
and it's for all effects and purposes being cheated or, at best,
confused. As an user of that browser, I would require it not to give
away any credentials to an unexpected party, wouldn't you agree?
Especially so when the user-agent can do so without notifying the user,
like Microsoft browsers can do when the proxy offers any of the
Microsoft-designed authentication schemes such as NTLM. In other words,
it's not a squid bug, but a browser security feature.

Q: Can I use 'proxy_auth' with interception?
A: No, you cannot. See the answer to the previous question. With
interception proxying, the client thinks it is talking to an origin
server and would never send the Proxy-authorization request header.

PS. My OS is OpenSolaris.

Thanks for the help
Jaco Vosloo
Software Architect
"Most Enterprise Architecture frameworks help you plan where you are
going. TOGAF, uniquely guides you along the way."

To read WesBank's Disclaimer for this email click on the following address or copy into your Internet browser:
https://www.wesbank.co.za/WesBankCoZa/about/legal/emaildisclaimer.jspx

If you are unable to access the Disclaimer, send a blank e-mail to
emaildisclaimer_at_wesbank.co.za and we will send you a copy of the Disclaimer.
Received on Fri Jul 24 2009 - 15:30:28 MDT

This archive was generated by hypermail 2.2.0 : Mon Jul 27 2009 - 12:00:05 MDT