mån 2009-07-27 klockan 13:19 +0200 skrev Vosloo, Jaco:
> The browser is configured to use the upstream proxy. I want the
> transparent proxy to be a MITM between the browser and the upstream
> proxy and cache whatever can be cached. This is why I am wondering if a
> reverse proxy in front of the upstream proxy might provide the solution?
Thanks for your clarification. Your setup is much clearer to me now.
You need to use the "login=PASS" argument in cache_peer when forwarding
the traffic, and configure your Squid as a non-transparent proxy even if
it has traffic redirected to it via NAT. The "transparent" option
applies only when the browsers is not configured to use a proxy, not
when the browser is configured to use a proxy but is being sent via NAT
to another proxy than configured.
If the upstream proxy is using Microsoft NTLM/Negotiate integrated login
then you need to use a version of Squid that supports the needed HTTP
protocol workarounds to support forwarding of this (as it completely
violates HTTP message/transport semantics). That is currently means the
legacy Squid-2.7 stable release or Squid-3.1 beta releases. Squid-3.0
does not support forwarding of NTLM/Negotiate authentication.
If the upstream is relating authentication to the client IP (instead of
request/connections) then you also need to use the tproxy feature, to
make the proxy spoof using the client IP when talking to the upstream
proxy. But this depends on how the upstream manages logged in sessions.
Regards
Henrik
Received on Mon Jul 27 2009 - 11:55:44 MDT
This archive was generated by hypermail 2.2.0 : Mon Jul 27 2009 - 12:00:05 MDT