Hi all,
We currently have a setup with proxies that use NTLM authentication
(we hope to upgrade to kerberos in the future) and based on the
username send the user to one of several parent proxies, to improve
caching we would like to instead route all traffic through one proxy
that is heavily optimized for caching (has it's own large storage
etc.).
I saw in the documentation that it is possible to pass the
authentication to the parent, as far as I can tell I can 'tell' the
parent in several ways how to route the client:
- I can pass the username to the parent
- I can 'NAT' the users connection as it leaves the child proxy (src
ip rewrite rules) and have source IP based rules on the parent.
- I could setup multiple instances of the same parent with different
login details and 'route' based on username to each of said 'parents'
It seems to me that the second option would result in better
performance on the one hand but on the other hand it would add more
obfuscation, however performance is more important to me.
Am I correct in my analysis? Is passing the username to parent a lot
slower, would it require another ntlm-auth binary running on the
parent or can the username just pass cleartext between the proxies
and therefor the whole 'authentication' is a lot faster....
Thanks for your brain-cycles,
Eli
Received on Tue Oct 18 2011 - 11:53:24 MDT
This archive was generated by hypermail 2.2.0 : Wed Oct 19 2011 - 12:00:06 MDT