2011/10/18 E.S. Rosenberg <esr+squid_at_g.jct.ac.il>:
> Hi all,
> We currently have a setup with proxies that use NTLM authentication
> (we hope to upgrade to kerberos in the future) and based on the
> username send the user to one of several parent proxies, to improve
> caching we would like to instead route all traffic through one proxy
> that is heavily optimized for caching (has it's own large storage
> etc.).
>
> I saw in the documentation that it is possible to pass the
> authentication to the parent, as far as I can tell I can 'tell' the
> parent in several ways how to route the client:
> - I can pass the username to the parent
> - I can 'NAT' the users connection as it leaves the child proxy (src
> ip rewrite rules) and have source IP based rules on the parent.
> - I could setup multiple instances of the same parent with different
> login details and 'route' based on username to each of said 'parents'
>
> It seems to me that the second option would result in better
> performance on the one hand but on the other hand it would add more
> obfuscation, however performance is more important to me.
>
> Am I correct in my analysis? Is passing the username to parent a lot
> slower, would it require another ntlm-auth binary running on the
> parent or can the username just pass cleartext between the proxies
> and therefor the whole 'authentication' is a lot faster....
>
> Thanks for your brain-cycles,
> Eli
>
Just wondering, why you need to pass username to 2nd layer proxy. I
mean, 1rst layer, the one who does authentication does also filtering
permitions.
LD
http://www.twitter.com/ldlq
Received on Tue Oct 18 2011 - 23:22:54 MDT
This archive was generated by hypermail 2.2.0 : Thu Oct 20 2011 - 12:00:03 MDT