Re: [squid-users] Forwarding Apache .htaccess authentication from Chris Robertson on 2009-10-14 (squid-users)

From: Chris Robertson <crobertson_at_gci.net>
Date: Wed, 14 Oct 2009 15:48:52 -0800

Kaya Saman wrote:
> Many thanks for the response!!
>>
>> From
>> http://www.squid-cache.org/Versions/v2/2.6/cfgman/cache_peer.html...
>>
>> use 'login=PASS' if users must authenticate against the upstream
>> proxy or in the case of a reverse proxy configuration, the origin web
>> server. This will pass the users credentials as they are to the
>> peer. Note: To combine this with local authentication the Basic
>> authentication scheme must be used, and both servers must share the
>> same user database as HTTP only allows for a single login (one for
>> proxy, one for origin server). Also be warned this will expose your
>> users proxy password to the peer. USE WITH CAUTION
>>
>
> You mean use something like:
>
> cache_peer parent.foo.net parent 3128 3130 proxy-only default proxy=PASS
>
> ???

Yes.

>
> I took my config from here originally:
>
> http://wiki.squid-cache.org/ConfigExamples/Reverse/MultipleWebservers
>
> with this layout of syntax:
>
> [code]
> cache_peer ip.of.server1 parent 80 0 no-query originserver name=server_1
> acl sites_server_1 dstdomain www.example.com example.com
> cache_peer_access server_1 allow sites_server_1
>
>
> cache_peer ip.of.server2 parent 80 0 no-query originserver name=server_2
> acl sites_server_2 dstdomain www.example.net download.example.com
> .example.net
> cache_peer_access server_2 allow sites_server_2
> [/code]
>
> so for my setup I would need to do this I guess:
>
> [code]
> cache_peer ip.of.server1 parent 80 0 no-query proxy=PASS originserver
> name=server_1
> acl sites_server_1 dstdomain www.example.com example.com
> cache_peer_access server_1 allow sites_server_1
> [/config]
>
> unless I misunderstood the whole deal???

You seem to understand quite well. :o)

>
>>
>>
>> And change that password everywhere it's used. :o) Basic
>> authentication just encodes the credentials using Base64, which is
>> reversible.
>>
>
> You mean change the password now that the encrypted string has been
> opened up to the list??

Yes.

>
> Kaya
>

Chris
Received on Wed Oct 14 2009 - 23:49:15 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 15 2009 - 12:00:03 MDT