Re: [squid-users] handing off usernames to parent proxies from E.S. Rosenberg on 2011-10-20 (squid-users)

From: E.S. Rosenberg <esr_at_g.jct.ac.il>
Date: Thu, 20 Oct 2011 18:59:39 +0200

2011/10/19 Luis Daniel Lucio Quiroz <luis.daniel.lucio_at_gmail.com>:
> 2011/10/18 E.S. Rosenberg <esr+squid_at_g.jct.ac.il>:
>> Hi all,
>> We currently have a setup with proxies that use NTLM authentication
>> (we hope to upgrade to kerberos in the future) and based on the
>> username send the user to one of several parent proxies, to improve
>> caching we would like to instead route all traffic through one proxy
>> that is heavily optimized for caching (has it's own large storage
>> etc.).
>>
>> I saw in the documentation that it is possible to pass the
>> authentication to the parent, as far as I can tell I can 'tell' the
>> parent in several ways how to route the client:
>> - I can pass the username to the parent
>> - I can 'NAT' the users connection as it leaves the child proxy (src
>> ip rewrite rules) and have source IP based rules on the parent.
>> - I could setup multiple instances of the same parent with different
>> login details and 'route' based on username to each of said 'parents'
>>
>> It seems to me that the second option would result in better
>> performance on the one hand but on the other hand it would add more
>> obfuscation, however performance is more important to me.
>>
>> Am I correct in my analysis? Is passing the username to parent a lot
>> slower, would it require another ntlm-auth binary running on the
>> parent or can the username just pass cleartext between the proxies
>> and therefor the whole 'authentication' is a lot faster....
>>
>> Thanks for your brain-cycles,
>> Eli
>>
>
> Just wondering, why you need to pass username to 2nd layer proxy. I
> mean, 1rst layer, the one who does authentication does also filtering
> permitions.
The first layer/tier does very basic filtering, the rest is either
handled by a specialized ISP with different plans for different
campuses or no filtering for staff members going through a separate
ISP and WAN line.

So the parent either needs to know the username, or just what plan to
use for the incoming session.
Regards,
Eli
>
> LD
> http://www.twitter.com/ldlq
>
Received on Thu Oct 20 2011 - 16:59:47 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 20 2011 - 12:00:03 MDT