Re: [squid-users] One instance as both, proxy and reverse proxy from Bastian Spanneberg on 2010-02-24 (squid-users)

From: Bastian Spanneberg <bastian.spanneberg_at_linkwerk.com>
Date: Wed, 24 Feb 2010 16:27:44 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thx again for the help, Henrik

> localhost is not in your list of sites/domains to forward to the
> SERVICES cache_peer...
>
> but most do not want this.. they want localhost services to be
> restricted to browsers running on the same box, not random clients out
> anywhere on the net..
>

That was mainly intended for test purposes, but meanwhile, I just edited
my /etc/hosts for testing, and my current setup seems to work nice
concerning this.

> You need to tell Squid that the peer is trusted for forwarding login
> credentials. See the login= option to cache_peer.
>

That was exactly what was missing, and this works nice now, too.
But I'm still not finished yet :)

Now, I added a parent proxy and proxy-authentication to the forwarding
proxy configuration, and the new problem is, that when I use the
instance as proxy now, I'm prompted for authentication for every host I
visit/connect to.

It looks like the browser (Firefox) sees the proxy authentication as
basic HTTP authentication on every site.

Here are the importan parts of my current configuration:

http_port 80 accel

cache_peer 127.0.0.1 parent 7070 0 no-query originserver login=PASS
name=SERVICES
acl FOO dstdomain www.example.net
cache_peer_access SERVICES allow FOO
cache_peer_access SERVICES deny all
acl CONNECT method CONNECT
never_direct allow FOO !CONNECT

auth_param basic program /usr/lib/squid/db_auth --user user --password
pass --plaintext --persist
auth_param basic children 5
auth_param basic realm Proxy-Auth
auth_param basic credentialsttl 1 minute
auth_param basic casesensitive off
acl db-auth proxy_auth REQUIRED

[...]

http_access allow db-auth
http_access allow localhost
http_access deny all
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow all

cache_peer 127.0.0.1 parent 9090 0 no-query name=PROXY
cache_peer_access PROXY allow db-auth

Any ideas why the authentication is regarded as basic HTTP by the browser ?

- --
Linkwerk - Software und Beratung für vernetzte Information
Telefon: +49 40 69 66 48 14
Web: www.linkwerk.com

Linkwerk GmbH, Oberaltenallee 20a, 22081 Hamburg,
Handelsregister Hamburg, HRB 95084
Geschäftsführer: Stefan Mintert
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkuFRW8ACgkQSm4S1ty9BPVzDgCgqs7FgqBPaiUKd3TgTxSIPedp
WyoAoKiu/FZmNkJmyC/AatArqV98sgBg
=TmxF
-----END PGP SIGNATURE-----
Received on Wed Feb 24 2010 - 15:27:45 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 26 2010 - 12:00:11 MST